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We formalise a general concept of distributed systems as sequential components interacting asyn- 
chronously. We define a corresponding class of Petri nets, called LSGA nets, and precisely char- 
acterise those system specifications which can be implemented as LSGA nets up to branching ST- 
bisimilarity with explicit divergence. 

I—* 

1 Introduction 

Q ■ The aim of this paper is to contribute to a fundamental understanding of the concept of a distributed 

reactive system and the paradigms of synchronous and asynchronous interaction. We start by giving 
an intuitive characterisation of the basic features of distributed systems. In particular we assume that 
distributed systems consist of components that reside on different locations, and that any signal from one 
component to another takes time to travel. Hence the only interaction mechanism between components 
is asynchronous communication. 

Our aim is to characterise which system specifications may be implemented as distributed systems. 



> 



Q\ . In many formalisms for system specification or design, synchronous communication is provided as a 

basic notion; this happens for example in process algebras. Hence a particular challenge is that it may be 
necessary to simulate synchronous communication by asynchronous communication. 

Trivially, any system specification may be implemented distributedly by locating the whole system 
£N) ! on one single component. Hence we need to pose some additional requirements. One option would be 

to specify locations for system activities and then to ask for implementations satisfying this distribution 
and still preserving the behaviour of the original specification. This is done in [T). Here we pursue 
a different approach. We add another requirement to our notion of a distributed system, namely that 
its components only allow sequential behaviour. We then ask whether an arbitrary system specification 
may be implemented as a distributed system consisting of sequential components in an optimal way, 
that is without restricting the concurrency of the original specification. This is a particular challenge 
when synchronous communication interacts with concurrency in the specification of the original system. 
We will give a precise characterisation of the class of distributable systems, which answers in particular 
under which conditions synchronous communication may be implemented in a distributed setting. 

For our investigations we need a model which is expressive enough to represent concurrency. It is also 
useful to have an explicit representation of the distributed state space of a distributed system, showing 
in particular the local control states of components. We choose Petri nets, which offer these possibilities 
and additionally allow finite representations of infinite behaviours. We work within the class of structural 
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conflict nets Q — a proper generalisation of the class of one-safe place/transition systems, where conflict 
and concurrency are clearly separated. 

For comparing the behaviour of systems with their distributed implementation we need a suitable 
equivalence notion. Since we think of open systems interacting with an environment, and since we do 
not want to restrict concurrency in applications, we need an equivalence that respects branching time and 
concurrency to some degree. Our implementations use transitions which are invisible to the environment, 
and this should be reflected in the equivalence by abstracting from such transitions. However, we do not 
want implementations to introduce divergence. In the light of these requirements we work with two 
semantic equivalences. Step readiness equivalence is one of the weakest equivalences that captures 
branching time, concurrency and divergence to some degree; whereas branching ST-bisimilarity with 
explicit divergence fully captures branching time, divergence, and those aspects of concurrency that can 
be represented by concurrent actions overlapping in time. We obtain the same characterisation for both 
notions of equivalence, and thus implicitly for all notions in between these extremes. 

We model distributed systems consisting of sequential components as an appropriate class of Petri 
nets, called LSGA nets. These are obtained by composing nets with sequential behaviour by means of 
an asynchronous parallel composition. We show that this class corresponds exactly to a more abstract 
notion of distributed systems, formalised as distributed nets BQ. 

We then consider distributability of system specifications which are represented as structural conflict 
nets. A net N is distributable if there exists a distributed implementation of N, that is a distributed net 
which is semantically equivalent to ,/V. In the implementation we allow unobservable transitions, and 
labellings of transitions, so that single actions of the original system may be implemented by multiple 
transitions. However, the system specifications for which we search distributed implementations are 
plain nets without these features. 

We give a precise characterisation of distributable nets in terms of a semi-structural property. This 
characterisation provides a formal proof that the interplay between choice and synchronous communica- 
tion is a key issue for distributability. 

To establish the correctness of our characterisation we develop a new method for rigorously proving 
the equivalence of two Petri nets, one of which known to be plain, up to branching ST-bisimilarity with 
explicit divergence. 

2 Basic Notions 

In this paper we employ signed multisets, which generalise multisets by allowing elements to occur in it 
with a negative multiplicity. 

Definition 1 Let X be a set. 

- A signed multiset over X is a function A : X — > 7L, i.e. A G 7L X . 
It is a multiset iff A G N x , i.e. iff A(x) > for all x£X. 

- x G X is an element of a signed multiset A G N , notation x G A, iff A(x) ^ 0. 

- For signed multisets A and B over X we write A < B iff A(x) < B(x) for all x £l; 
A UB denotes the signed multiset over X with (A(JB)(x) := max(A(x),B(x)), 

A PiB denotes the signed multiset over X with (A PiB)(x) := min(A(x),B(x)), 
A + B denotes the signed multiset over X with (A + B) (x) := A(x) +B(x), 
A — B denotes the signed multiset over X with (A — B) (x) := A(x) — B{x), and 
for k G N the signed multiset k ■ A is given by (k • A) (x) : = k ■ A (x) . 

- The function : X — > N, given by 0(x) := for all x G X, is the empty multiset over X. 
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- If A is a signed multiset over X and Y C X then A \ Y denotes the signed multiset over Y defined by 
(A \Y)(x) :=A{x) for all x£Y. 

- The cardinality \A\ of a signed multiset A over X is given by |A| := Y,xex \A(x)\. 

- A signed multiset A over X is finite iff |A| < oo, i.e., iff the set {x | iGA} is finite. 
We write A Gy -7L X or A Gy N x to indicate that A is a finite (signed) multiset over X. 

- Any function f : X —> 7L or f : X — >Tl7 from X to either the integers or the signed multisets over 
some set Y extends to the finite signed multisets A over X by /(A) = Y,xex^i x ) '/(*)• 

Two signed multisets A : X — > 7L and B : F — > Z are extensionally equivalent iff A f(X D F) = B f(X C\Y), 
A \{X \ Y) = 0, and fi f(F \X) = 0. In this paper we often do not distinguish extensionally equivalent 
signed multisets. This enables us, for instance, to use A+B even when A and B have different underlying 
domains. A multiset A with A{x) G {0, 1} for all x is identified with the set {x \ A(x) = 1}. A signed 
multiset with elements x and y, having multiplicities —2 and 3, is denoted as —2 • {x} + 3 • {y}. 

We consider here general labelled place/transition systems with arc weights. Arc weights are not 
necessary for the results of the paper, but are included for the sake of generality. 

Definition 2 Let Act be a set of visible actions and T 0Act be an invisible action. Let Act T := Act U {t}. 
A {labelled) Petri net {over Act T ) is a tuple N = (S, T,F,Mq,£) where 

- S and T are disjoint sets (of places and transitions), 

- F : (S x T LIT x 5) — > N (the flow relation including arc weights), 

- Mq : S — > N (the initial marking), and 

- £ : T — > Act T (the labelling function). 

Petri nets are depicted by drawing the places as circles and the transitions as boxes, containing their label. 
Identities of places and transitions are displayed next to the net element. When F(x,y) > for x, y £SUT 
there is an arrow {arc) from x to y, labelled with the arc weight F(x,y). Weights 1 are elided. When a 
Petri net represents a concurrent system, a global state of this system is given as a marking, a multiset M 
of places, depicted by placing M(s) dots {tokens) in each place s. The initial state is Mo. 

To compress the graphical notation, we also allow universal quantifiers of the form \/x.(f)(x) to appear 
in the drawing (cf. FigureHJ). A quantifier replaces occurrences of x in element identities with all concrete 
values for which <p (x) holds, possibly creating a set of elements instead of the depicted single one. An arc 
of which only one end is replicated by a given quantifier results in a fan of arcs, one for each replicated 
element. If both ends of an arc are affected by the same quantifier, an arc is created between pairs of 
elements corresponding to the same x, but not between elements created due to differing values of x. 

The behaviour of a Petri net is defined by the possible moves between markings M and M', which 
take place when a finite multiset G of transitions fires. In that case, each occurrence of a transition t in G 
consumes F(s,t) tokens from each place s. Naturally, this can happen only if M makes all these tokens 
available in the first place. Next, each t produces F(t,s) tokens in each s. Definition |4] formalises this 
notion of behaviour. 

Definition 3 Let N = (S, T,F,M ,£)bea Petri net and x G S U T. 

The multisets *x, x* : S U T -> N are given by *x(y) = F(y,x) and x'(y) = F(x,y) for all y G SU T. If 
x G T, the elements of *x and x* are called pre- and postplaces of x, respectively, and if x G S we speak 
of pre- and posttransitions . The token replacement function [_] : T — > 7L S is given by \f\ =t* — *t for all 
t G r. These functions extend to finite signed multisets as usual (see Definition [T]). 

Definition 4 Let N = (5, T, F,M Q ,£) be a Petri net, G G N r , G non-empty and finite, and M,M' G N 5 . 
G is a step from M to M', written M [G) N M', iff 
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- *G < M (G is enabled) and 

_ M' = (M-'G) + G* = M+{G\. 

Note that steps are (finite) multisets, thus allowing self-concurrency, i.e. the same transition can oc- 
cur multiple times in a single step. We write M M' for M [{t})N M', whereas M[G)n abbreviates 
3M'. M [G)nM'. We may omit the subscript N if clear from context. 

In our nets transitions are labelled with actions drawn from a set Act U {t}. This makes it possible 
to see these nets as models of reactive systems that interact with their environment. A transition t can 
be thought of as the occurrence of the action £{t). If £{t) G Act, this occurrence can be observed and 
influenced by the environment, but if £{t) = T, it cannot and t is an internal or silent transition. Transitions 
whose occurrences cannot be distinguished by the environment carry the same label. In particular, since 
the environment cannot observe the occurrence of internal transitions at all, they are all labelled z. 

The labelling function £ extends to finite multisets of transitions G G 7L T by £{G) '-=Y,teT G(t) ■ {£(t)}. 
For A,B G Z ActT we write A = B iff £{A)(a) = £{B)(a) for all a G Act, i.e. iff A and B contain the same 
(numbers of) visible actions, allowing £{A){%) / £(B)(x). Hence £{G) = indicates that £(t) = % for all 
transitions t G T with G(t) / 0. 

Definition 5 Let N = (S, T,F,M ,£) be a Petri net. 

- The set [M ) N of reachable markings ofN is defined as the smallest set containing M that is closed 
under [G) N , meaning that if M € [M )n and M [G) N M' then M' G [M ) N . 

- N is one-safe iff M G [M ) N ^>VsGS. M(s) < 1. 

- The concurrency relation -~- C T 2 is given by f ^ m <^ 3MG [Mo). M[{?}+{m}). 

- is a structural conflict net iff for all t, u G T with t - w we have *f n *m = 0. 

We use the term /?Za/ra for Petri nets where £ is injective and no transition has the label T, i.e. 
essentially unlabelled nets. 

This paper first of all aims at studying finite Petri nets: nets with finitely many places and transitions. 
However, our work also applies to infinite nets with the properties that *t ^ for all transitions t G T, and 
any reachable marking (a) is finite, and (b) enables only finitely many transitions. Henceforth, we call 
such nets finitary. Finitariness can be ensured by requiring \M<$ \ < °° A V? G T. 't ^ A Vx G SU T. \x* | < °°, 
i.e. that the initial marking is finite, no transition has an empty set of preplaces, and each place and 
transition has only finitely many outgoing arcs. 

3 Semantic Equivalences 

In this section, we give an overview on some semantic equivalences for reactive systems. Most of these 
may be defined formally for Petri nets in a uniform way, by first defining equivalences for transition sys- 
tems and then associating different transition systems with a Petri net. This yields in particular different 
non-interleaving equivalences for Petri nets. 

Definition 6 Let 2lct be a set of visible actions and % G'Slct be an invisible action. Let 2tct T := 2lct U {t}. 
A labelled transition system (LTS) {over 2lct T ) is a triple £ = (S,T, Wl ) with 

- © a set of states, 

- T C & x 2lctr x (3 a transition relation 

- and Wlc G & the initial state. 

Given an LTS (6,T, 93t ) with JOT, G & and a G 2tct T , we write lAl' for (JOT, a, JOT') G 1. We 
write JOT ^> for 3 JOT'. JOT JOT' and JOT -A- for ^JOT'. JOT ^> JOT'. Furthermore, JOT ^> JOT' denotes 



R.J. van Glabbeek, U. Goltz & J.-W. Schicke-Uffmann 



5 



3JT — > 3Jt' V (a = T A Wl = 37t'), meaning that in case a = % performing a T-transition is optional. For 
a\a2---a n G 2tct* we write 3Jt " [a2 " SOT' when 

where denotes the reflexive and transitive closure of — >. A state 3JT G (5 is said to be reachable iff 
there is a a € 2lct* such that SDt ==> 371. The set of all reachable states is denoted by [33T ). In case there 
are 37t; G [37t ) f° r an 1 — 1 with 371 1 — -> WI2 — * • • • the LTS is said to display divergence. 

Many semantic equivalences on LTSs that in some way abstract from internal transitions are defined 
in the literature; an overview can be found in J4j. On divergence-free LTSs, the most discriminating 
semantics in the spectrum of equivalences of 0, and the only one that fully respects the branching 
structure of related systems, is branching bisimilarity , proposed in [ 10 ]. 

Definition 7 Two LTSs (@i,Ti,3Jt i) and {&2^2i^-oi) are branching bisimilar iff there exists arela- 
tion SB C ©i x 62 — a branching bisimulation — such that, for all a G 2lct T : 

1. 3Jtoi^3Jto2; 

2. if3JTi^3Jt 2 and Mi VJl[ then 33J^,3Jt 2 such that 3tt 2 ^3j4-^-3Jt 2 , 3Jli^37t^ and3Jti^3Jl 2 ; 

3 . if Tl i # 3Jt 2 and 3JT 2 Wl' 2 then 3Wl\ , 3Jt; such that Tti 3Jt{ ^4 3Jt; , £DtJ ^ 3JT 2 and 3J?; ^ 3JT 2 . 

Branching bisimilarity with explicit divergence iflOl HI, is a variant of branching bisimilarity that fully 
respects the diverging behaviour of related systems. Since in this paper we mainly compare systems of 
which one admits no divergence at all, the definition simplifies to the requirement that the other system 
may not diverge either. 

One of the semantics reviewed in [4] that respects branching time and divergence only to a small 
extent, is readiness equivalence, proposed in [13]. 

Definition 8 Let £ = (S,T,3Jt ) be an LTS, a G 2lct* and X C 2lct. (a,X) is a ready pair of £ iff 

We write 3t(£) for the set of all ready pairs of £. 

Two LTSs £i and £2 are readiness equivalent iff 3t(£i) = 3l(£2). 

As indicated in Q, see in particular the diagram on Page 317 (or 88), equivalences on LTSs have 
been ported to Petri nets and other causality respecting models of concurrency chiefly in five ways: we 
distinguish interleaving semantics, step semantics, split semantics, ST-semantics and causal semantics. 
Causal semantics fully respect the causal relationships between the actions of related systems, whereas 
interleaving semantics fully abstract from this information. Step semantics differ from interleaving se- 
mantics by taking into account the possibility of multiple actions to occur simultaneously (in one step); 
this carries a minimal amount of causal information. ST-semantics respect causality to the extent that it 
can be expressed in terms of the possibility of durational actions to overlap in time. They are formalised 
by executing a visible action a in two phases: its start a + and its termination aT . Moreover, terminating 
actions are properly matched with their starts. Split semantics are a simplification of ST-semantics in 
which the matching of starts and terminations is dropped. 

Interleaving semantics on Petri nets can be formalised by associating to each net Af = (5, T,F,Mq,£) 
the LTS (&,1,Mq) with & the set of markings of ,/V and T given by 

M { -^M 2 :<^ 3t G T. CC = £(t) f\M\ [t) M 2 . 
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Here we take 2lct := Act. Now each equivalence on LTSs from [4] induces a corresponding interleaving 
equivalence on nets by declaring two nets equivalent iff the associated LTSs are. For example, interleav- 
ing branching bisimilarity is the relation of Definition [7] with the QJT's denoting markings, and the a's 
actions from Act T . 

Step semantics on Petri nets can be formalised by associating another LTS to each net. Again we 
take & to be the markings of the net, and 9Jt the initial marking, but this time 2lct consists of the steps 
over Act, the non-empty, finite multisets A of visible actions from Act, and the transition relation T is 
given by 

My -^M 2 :<^3Ge f ¥S T .A = £(G) A Mi [G) M 2 

with T-transitions defined just as in the interleaving case. In particular, the step version of readiness 
equivalence would be the relation of Definition [8] with the SDt's denoting markings, the a's steps over 
Act, and the a's sequences of steps. However, variations in this type of definition are possible. In this 
paper, following Q, we employ a form of step readiness semantics that is a bit closer to interleaving 
semantics: a is a sequence of single actions, whereas the menu X of possible continuations after a is a 
set of steps. 

Definition 9 Let N = (5, T,F,M , £) be a Petri net, a G Act* and X C N Act . {a,X) is a step ready pair 
of N iff 

3M.Mo^MAMA M = {AeN Act |M A}. 
We write M(N) for the set of all step ready pairs of N. 

Two Petri nets N\ and N 2 are step readiness equivalent, N\ ^^2, iff M(N\) = M{N 2 ). 

Next we propose a general definition on Petri nets of ST- versions of each of the semantics of |4). 
Again we do this through a mapping from nets to a suitable LTS. An ST-marking of a net (5, T,F,M ,£) 
is a pair (M,U) G N s xF of a normal marking, together with a sequence of transitions currently firing. 
The initial ST-marking is Wl := (Mo, e). The elements of Act^ := {a + , aT n \ a G Act, n > 0} are called 
visible action phases, and Actf := Act 1 * 1 U {t}. For U G T*, we write t G^ U if t is the n th element of 
U. Furthermore U~" denotes U after removal of the n th transition. 

Definition 10 Let N = (S, T,F,M J) be a Petri net, labelled over Act T . 

Ti J- 

The ST-transition relations — > for 77 G Actif between ST-markings are given by 
(M,U) A (M',U') \f£3teT. £{t) =aAM[t) AM' = M -'t AU' = Ut. 
(M, U) ^4 (M', U') iff 3t G w U. £(t) =aAU' = U~" AM' = M + 1'. 
(M,U) (M',U') if£M^M'AU' = U. 

Now the ST-LTS associated to a net N is (6,T,9Jt ) with 6 the set of ST-markings of N, 2lct := Ac^, 
% as defined in Definition [TOl and Wl the initial ST-marking. Again, each equivalence on LTSs from 
[4] induces a corresponding ST-equivalence on nets by declaring two nets equivalent iff their associated 
LTSs are. In particular, branching ST-bisimilarity is the relation of Definition |7] with the OJt's denoting 
ST-markings, and the a's action phases from Act^. We write Ny ~bSTb ^2 iff Ni and N 2 are branching 
ST-bisimilar with explicit divergence. 

ST-bisimilarity was originally proposed in [9]. It was extended to a setting with internal actions in 
lTl7l . based on the notion of weak bisimilarity of [12], which is a bit less discriminating than branching 
bisimilarity. The above can be regarded as a reformulation of the same idea; the notion of weak ST- 
bisimilarity defined according to the recipe above agrees with the ST-bisimilarity of ifTTIl . 

The next proposition says that branching ST-bisimilarity with explicit divergence is more discrimi- 
nating than (i.e. stronger than, finer than, or included in) step readiness equivalence. 
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Proposition 1 Let Ni and N 2 be Petri nets. If N\ ^fsTb ^2 then N\ N 2 . 

Proof: Suppose Ni ~lsTb N 2 and (a,X) G &(N\). By symmetry it suffices to show that (a,X) G &(N 2 ). 

There must be a branching bisimulation S3 between the ST-markings of N\ = (S\,T\,F\,Mqi,1\) 
and N 2 = (S 2 ,T 2 , F 2 , M 02 ,£ 2 ) ■ In particular, (M i,e)& (M 02 ,s). Let a := aia 2 • • -a„ G Act*. Then 
Moi =^^->^^>^ • • • =^^>=» M[ for a marking Mj G N Sl with X = {A G N Act | M[ ^} and 

MJ -A. Hence (M 0l ,e) ■ ■ ■ ^-^^^ {M[,e). Thus, using the prop- 

erties of a branching bisimulation on the ST-LTSs associated to N\ and N 2 , there must be a marking 

M' 2 G N 52 such that (M 02 ,e)^^>%^^>^^ • • • =^^>^>^(M 2 ,£) and (M[,s)38 (M' 2 ,e). 
Since (M[,e) the ST-marking (M[,e) admits no divergence. As ~f STh respects this property, also 
(M' 2 ,e) admits no divergence, and there must be an M 2 G N* with M' 2 ' and (M' 2 ,e) =>• (M 2 ,e). 
Clause 3. of a branching bisimulation gives (M[ , e)m (M'{, £), and Definition [lO]yields M 02 M'{. 

Now let B = {b\ b n } G X. Then M[ so (M[ , e) bl > &2 > Property 2. of a branching 

bisimulation implies (M 2 ,e) —^-—^ ■ ■ ■ and hence M 2 — >. Likewise, with Property 3., M 2 — > 
implies M\ for all B G N Act . It follows that (o,X) G &{Ni). □ 

In this paper we employ both step readiness equivalence and branching ST-bisimilarity with explicit 
divergence. Fortunately it will turn out that for our purposes the latter equivalence coincides with its split 
version (since always one of the compared nets is plain, see Proposition 

A split marking of a net N = (S,T,F,M ,£) is a pair (M,U) G N s x N T of a normal marking M, 
together with a multiset of transitions currently firing. The initial split marking is 27t := (Mo,0). A split 
marking can be regarded as an abstraction from an ST-marking, in which the total order on the (finite) 
multiset of transitions that are currently firing has been dropped. Let Act* lit := {a + , a" \ a G Act}. 

Definition 11 Let N = (S, T,F,M ,£) be a Petri net, labelled over Act T . 

The split transition relations for £ G Acfi^ U {t} between split markings are given by 
(M, U) (M' ; U') iff 3t G T. £{t) = aAM[t) AM' = M - *t A U' = U + {t}. 
(M, U) (M' ; U') iff 3t G U. £{t) =aAU' = U-{t}AM / =M + f. 
{M,U) (M',U') iff M — M' AU' = U. 

Note that (M,U) iff M whereas (M,U) iff a G £(U). With induction on reachability of 
markings it is furthermore easy to check that (M,U) G [Mo) iff £(U) G N Act and M+'U G [Mo). 

The split LTS associated to a net N is (6,1, 2T ) with 6 the set of split markings of N, 2tct := Act*, 
T as defined in Definition [TT] and 27T the initial split marking. Again, each equivalence on LTSs from 
[4] induces a corresponding split equivalence on nets by declaring two nets equivalent iff their associated 
LTSs are. In particular, branching split bisimilarity is the relation of Definition [7] with the SDT's denoting 
split markings, and the a's action phases from Act* Ut U {%}. 

For 271 = (M,U) G N 5 x T* an ST-marking, let M = {M,U) G N s x N r be the split marking obtained 
by converting the sequence U into the multiset U, where U (t) is the number of occurrences of the 
transition t G T in U. Moreover, define £(M) by £(M,U) := £{U) and £{t Y t 2 ■■■t k ) := £{h)£{t 2 ) ■ •••%). 
Furthermore, for 17 G Act*, let 77 G Act* lit U {t} be given by a + := a + , a - " := a~ and t := T. 

Observation 1 Let 271,271' be ST-markings, 27t f a split marking, v\ G Act* and C, G Act^, U {t}. Then 

- 27T G N s x T* is the initial ST-marking of 7Y iff 27T G N s x N r is the initial split marking of N; 

- ifm ^27T'then2lT ^hWV; 

- if 27t 27T 1 " then thereis ajJJF eN s xf and tj g Act* such that 2R 27f, T7 = t, and 27T 7 = 27T 1 "; 

- if 27t ^> 27T' then M -^4 
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- if M A then there is a 9rt' G N s x T* and tj G Act^ such that Ort -^4 SDf, Tf = £ and M 7 = Ort f ; 

_ if sen sot' then M^mr; 

_ if art gj|t then there is a Ort' € N s x T* such that Ort => OR' and art 7 = art 1 ". □ 



Lemma 1 Let A^i = (Si,Ti,Fi,Moi,£) and Af 2 = {S 2 ,T 2 ,F 2 ,M 02 ,£ 2 ) be two nets, A^ 2 being |plain| let 



Orti,^ be ST-markings of N u and Ort 2 ,Ort 2 ST-markings of N 2 . Jf £(Mz) = SErti aft and 

9rt 2 -^4 OR 2 with T] 7 = tj , then there is an Ort 2 ' with Ort 2 -^4 Ort' 2 ', £(Ort 2 ') = £(0^), and Ort 2 ' = Ort^ 



2- 

Proof: If Tl -^h 9rt' or Ort -^4 Ort' then £(9Jtf) is completely determined by £(Wl) and tj . For this reason 
the requirement ^(9rt 2 ) = £(Wl\) will hold as soon as the other requirements are met. 

First suppose tj is of the form T or a + . Then tj = 77 and moreover tj' = TJ implies tj' = TJ. Thus we 
can take Ort 2 :=9rt 2 . 

Now suppose tj := a~ n for some « > 0. Then tj' = a~ m for some m > 0. As 9rti the n'' 7 element 
of £(0rti) must (exist and) be a. Since ^(9rt 2 ) = ^(9rti), also the n th element of ^(9rt 2 ) must be a, so 
there is an 9rt 2 with 9rt 2 -^4 9rt 2 . Let 5rt 2 := (M 2 ,U 2 ). Then U 2 is a sequence of transitions of which 
the n th and the m th elements are both labelled a. Since the net N 2 is plain, those two transitions must be 
equal. Let Ort 2 := {M' 2 ,U' 2 ) and 9rt" 2 := (Mjjf,t#)- We find that M'{ = M' 2 and U^ = U[. It follows that 

W^ = W 2 . □ 

Observation 2 If Ort Ort' for ST-markings 9rt,9rt' then £(£Df ) = £(Ort). 

Observation 3 If ^(SDti) = ^(9rt 2 ) and 9rt 2 for some a G Act and n > 0, then 9rti ^4. 

Observation 4 If 9rt ^4 9rt' and 9rt ^4 9rt" for some a G Act and n > 0, then ^ = 9rt 2 . 



Proposition 2 Let iVi = (Si,7i,Fi,M i,.£) and N 2 = (S 2 ,T 2 ,F 2 ,M 02 ,£ 2 ) be two nets, N 2 being |plain 
Then N\ and AT 2 are branching ST-bisimilar (with explicit divergence) iff they are branching split bisimilar 
(with explicit divergence). 

Proof: Suppose 88 is a branching ST-bisimulation between N\ and N 2 . Then, by Observation [JJ the 
relation 88^ := {(9rti,9rt 2 ) | (9rti,9rt 2 ) G 88} is abranching split bisimulation between N\ &ndN 2 . 

Now let 88 be a branching split bisimulation between A^i and N 2 . Then, using Observation [TJ the 
relation 88 S j := {(9Jti,3Jt 2 ) I ^1 (SOti ) = 4(2%) A (^,0%) G ^} turns out to be a branching ST- 
bisimulation between N\ and./V 2 : 



1. 9rtoi^sT9rto 2 follows from Observation [JJ using that Wl oi 88Wi o2 and ^(9rt i) = ^(9rt o2 ) = £. 

2. Suppose m x m^m 2 and SDti SDTi . Then W V 88W 2 wAW\^hW v Hence 3art|,Srt| such that 
9^ 9rtj -^4 9rt*, Wi8§m\ and W^Mdfi^. As N 2 is plain, 9rt^ = 2% By Observation ffl using 
that Th -^4 9rt 2 , 39rt 2 , tj' such that 9Jt 2 -^4 9rt 2 , T7 7 = T7 and = Wl^ By Lemma [JJ there is 
an ST-marking 9rt 2 ' such that 9rt 2 ^4 Wl' 2 \ £(9Jt£) = ^(art'J, and = = 5rt*. It follows that 

art'p^siart,'. 

3. Suppose m x 8S_ ST 9rt 2 and 9rt 2 5rt 2 . Then ^"^^ and Th^h W 2 . Hence BSDT^QJlf such that 
9rt7 grt} Ortf, artj^art^ and Ortf^Ort^. By Observation [TJ 30rt^ such that Strti ^> 9rt^ and 
M[ = art}. By Observation!! £{m\) = £{m{) = £{Wl 2 ), so W[8 S i&fi 1 . Since N 2 is plain, tj ± x. 

• Let tj = a + for some a G Act. Using that 9Jt* -^4 9rtf , by Observation []J 39rtj , tj' such that 
W[ ^4 OTt;, T7 7 = T7 and 9rt[ = Ortf. It must be that tj' = tj = a + and £(*t«i) = l{m\)a = 
£{m 2 )a = £(Wl 2 ). Hence Wl[8§ ST Wl 2 . 
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• Let 77 = a~" for some a € Act and n > 0. By Observation |3j with Wl\ By Part 

2. of this proof, 3Wi'{ such that Wl 2 SO^' and SP^stSD^- By Observation H 971^' = 97^. 

Since the net A^2 is plain, it has no divergence. In such a case, the requirement "with explicit divergence" 
requires Ni to be free of divergence as well, regardless of whether split or ST-semantics is in used. □ 

In this paper we will not consider causal semantics. The reason is that our distributed implementations 
will not fully preserve the causal behaviour of nets. We will further comment on this in the conclusion. 

4 Distributed Systems 

In this section, we stipulate what we understand by a distributed system, and subsequently formalise a 
model of distributed systems in terms of Petri nets. 

- A distributed system consists of components residing on different locations. 

- Components work concurrently. 

- Interactions between components are only possible by explicit communications. 

- Communication between components is time consuming and asynchronous. 

Asynchronous communication is the only interaction mechanism in a distributed system for exchanging 
signals or information. 

- The sending of a message happens always strictly before its receipt (there is a causal relation between 
sending and receiving a message). 

- A sending component sends without regarding the state of the receiver; in particular there is no 
need to synchronise with a receiving component. After sending the sender continues its behaviour 
independently of receipt of the message. 

As explained in the introduction, we will add another requirement to our notion of a distributed system, 
namely that its components only allow sequential behaviour. 

Formally, we model distributed systems as nets consisting of component nets with sequential be- 
haviour and interfaces in terms of input and output places. 

Definition 12 Let N = (S,T,F,M ih £) be a Petri net, /, O C S, InO = and O m = 0. 

1. (N,I, O) is a component with interface (I, O). 

2. (N,I, O) is a sequential component with interface (/, O) iff 
3<2CS\(/U<9) withVf € T.\'t \Q\ = 1 A|f - rg| = l and \M \Q\ = \. 

An input place i S / of a component = (N,I, O) can be regarded as a mailbox of *rf for a specific type 
of messages. An output place o G O, on the other hand, is an address outside to which ^ can send 
messages. Moving a token into o is like posting a letter. The condition o* = says that a message, once 
posted, cannot be retrieved by the component. 

A set of places like Q above is called an S-invariant. The requirements guarantee that the number 
of tokens in these places remains constant, in this case 1. It follows that no two transitions can ever fire 
concurrently (in one step). Conversely, whenever a net is sequential, in the sense that no two transitions 
can fire in one step, it is easily converted into a behaviourally equivalent net with the required ^-invariant, 
namely by adding a single marked place with a self-loop to all transitions. This modification preserves 
virtually all semantic equivalences on Petri nets from the literature, including ^ STb - 

Next we define an operator for combining components with asynchronous communication by fusing 
input and output places. 
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Definition 13 Let M be an index set. 

Let ((Sk, Tk,Fk,Mo k ,h),h,Ok) with k G R be components with interface such that (S* U Tk) n (5; U 7}) = 
{Ik U Ok) H (// U Oi) for all fc, / € ^ with & / / (components are disjoint except for interface places) and 
h n// = for all kj £ & with & ^ / (mailboxes cannot be shared; any message has a unique recipient). 
Then the asynchronous parallel composition of these components is defined by 

((S k ,T k ,F k ,M 0k ,£ k ),h,O k ) = ((S,T,F,M ,£),I,O) 

ieSi 

with S={J ke &S k , T=\J k&A T k , F=\J keji F k , M =Zk^n M 0h ^=Ufcs4 (componentwise union of all 
nets), I=Uke&h (we accept additional inputs from outside), and 0= Ufes Ok \ Ukenh (once fused with 
an input, o € Oj is no longer an output). 

Observation 5 || is associative. 

This follows directly from the associativity of the (multi)set union operator. □ 
We are now ready to define the class of nets representing systems of asynchronously communicating 
sequential components. 

Definition 14 A Petri net N is an LSGA net (a locally sequential globally asynchronous net) iff there 
exists an index set .ft and sequential components with interface kG&, such that (N,I,0) = Wke&^k 
for some I and O. 

Up to ~b STb — or any reasonable equivalence preserving causality and branching time but abstracting 
from internal activity — the same class of LSGA systems would have been obtained if we had imposed, 
in Definition [l2j that I, O and Q form a partition of S and that V = 0. However, it is essential that our 
definition allows multiple transitions of a component to read from the same input place. 

In the remainder of this section we give a more abstract characterisation of Petri nets representing 
distributed systems, namely as distributed Petri nets, which we introduced in 01. This will be useful 
in Section \5\ where we investigate distributability using this more semantic characterisation. We show 
below that the concrete characterisation of distributed systems as LSGA nets and this abstract character- 
isation agree. 

Following HI, to arrive at a class of nets representing distributed systems, we associate localities to 
the elements of a net N = (S,T,F, Mq ,£). We model this by a function D : S U T — > Loc, with Loc a set of 
possible locations. We refer to such a function as a distribution of N. Since the identity of the locations 
is irrelevant for our purposes, we can just as well abstract from Loc and represent D by the equivalence 
relation =r> on SU T given by x =d y iff D(x) = D(y). 

Following [6], we impose a fundamental restriction on distributions, namely that when two tran- 
sitions can occur in one step, they cannot be co-located. This reflects our assumption that at a given 
location actions can only occur sequentially. 

In (6l we observed that Petri nets incorporate a notion of synchronous interaction, in that a transition 
can fire only by synchronously taking the tokens from all of its preplaces. In general the behaviour of a 
net would change radically if a transition would take its input tokens one by one — in particular deadlocks 
may be introduced. Therefore we insist that in a distributed Petri net, a transition and all its input places 
reside on the same location. There is no reason to require the same for the output places of a transition, 
for the behaviour of a net would not change significantly if transitions were to deposit their output tokens 
one by one [0. 
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This leads to the following definition of a distributed Petri net. 

Definition 15 [6] A Petri net N = (5, T, F,Mq, I) is distributed iff there exists a distribution D such that 

(1) Ms G S, t G T. s G 't => t = D s, 

(2) Mt,u G T. t ^ u t ^r> u. 

A typical example of a net which is not distributed is shown in Figured] on Page[T3] Transitions t and 
v are concurrently executable and hence should be placed on different locations. However, both have 
preplaces in common with u which would enforce putting all three transitions on the same location. In 
fact, distributed nets can be characterised in the following semi-structural way. 

Observation 6 A Petri net is distributed iff there is no sequence to, ■ ■■ ,t n of transitions with to t n and 
n'f/ 7^ for i = l,...,n. □ 

We proceed to show that the classes of LSGA nets and distributable nets essentially coincide. That 
every LSGA net is distributed follows because we can place each sequential component on a separate 
location. The following two lemmas constitute a formal argument. Here we call a component with 
interface (N,I, O) distributed iff N is distributed. 

Lemma 2 Any sequential component with interface is distributed. 

Proof: As a sequential component displays no concurrency, it suffices to co-locate all places and transi- 
tions. □ 

Lemma [3] states that the class of distributed nets is closed under asynchronous parallel composition. 

Lemma 3 Let % = (Nk,h,Ok), k£R, be components with interface, satisfying the requirements of 
Definition \13\ which are all distributed. Then \\ke$i&k is distributed. 

Proof: We need to find a distribution D satisfying the requirements of Definition [151 

Every component % is distributed and hence comes with a distribution D^. Without loss of generality 
the codomains of all can be assumed disjoint. 

Considering each as a function from net elements onto locations, a partial function D' k can be 
defined which does not map any places in Ok, denoting that the element may be located arbitrarily, and 
behaves as Dk for all other elements. As an output place has no posttransitions within a component, any 
total function larger than (i.e. a superset of) D' k is still a valid distribution for Nu- 

Now D' = UktftD^ is a (partial) function, as every place shared between components is an input 
place of at most one. The required distribution D can be chosen as any total function extending D'; it 
satisfies the requirements of Definition [T31 since the D^s do. □ 

Corollary 1 Every LSGA net is distributed. □ 

Conversely, any distributed net Af can be transformed in an LSGA net by choosing co-located transitions 
with their pre- and postplaces as sequential components and declaring any place that belongs to multiple 
components to be an input place of component if it is a preplace of a transition in Nk, and an output 
place of component Ni if it is a postplace of a transition in Ni and not an input place of Ni. Furthermore, 
in order to guarantee that the components are sequential in the sense of Definition [121 an explicit control 
place is added to each component — without changing behaviour — as explained below Definition [T2J It 
is straightforward to check that the asynchronous parallel composition of all so-obtained components is 
an LSGA net, and that it is equivalent to Af (using ^ STb , or any other reasonable equivalence). 



12 



On Distributability of Petri Nets 



Theorem 1 For any distributed net N there is an LSGA net N' with N' ~ bSTb N. 

Proof: Let N = (S,T,F,Mo,£) be a distributed net with a distribution D. Then an equivalent LSGA net 
N' can be constructed by composing sequential components with interfaces as follows. 

For each equivalence class [x] of net elements according to D a sequential component (Mj,7u,Oy) 
is created. Each such component contains one new and initially marked place pr x ] which is connected 
via self-loops to all transitions in [x]. The interface of the component is formed by 1^ := (5 Pi [x]jo and 
0[ X ] ■= ([x]nT)'\[x]. Formally,^] := (S [x] ,T [x] ,F [x] ,M 0[x] ,£ [x] ) with 

• s [x] = ((sn[x])uo [x] u{ P[x] }, 

• T [x] =TD[x], 

• F[x] = F \(S[x]^T [x] ) 2 Ll{(p [x ],t),(t,p [x ]) 1 1 G T [x] }, 

• M ow = (M f[x]) U {p [x] }, and 

• t\x\=e\\*]- 

All components overlap at interfaces only, as the sole places not in an interface are the newly created pu. 
The /u are disjoint as the equivalence classes [x] are, so (N',1',0') := \\[ x ]£(sut)/d(N[ x ],Om,Im) is well- 
defined. It remains to be shown that N' ~ bSTb N. The elements of N' are exactly those of N plus the new 
places pi£ , which stay marked continuously except when a transition from [x] is firing, and never connect 
two concurrently enabled transitions. Hence there exists a bijection between the ST-markings of N' and 
N that preserves the ST-transition relations between them, i.e. the associated ST-LTSs are isomorphic. 
From this it follows that N' ~ bSTb N - 1=1 

Observation 7 Every distributed Petri net is a lstructural conflict netl □ 

Corollary 2 Every LSGA net is a structural conflict net. □ 

Further on, we use a more liberal definition of a distributed net, called essentially distributed. We will 
show that up to ~f STb any essentially distributed net can be converted into a distributed net. In (6l we 
employed an even more liberal definition of a distributed net, which we call here externally distributed. 
Although we showed that up to step readiness equivalence any externally distributed net can be converted 
into a distributed net, this does not hold for ~ bSTb - 

Definition 16 A net Af = (S, T,F,Mq,£) is essentially distributed iff there exists a distribution D satisfy- 
ing (1) of Definition [T5l and 

(2') Vt,ueT.t ^mA t(t) ^T^t^ D u. 

It is externally distributed iff there exists a distribution D satisfying (1) and 
(2") \ft,u G T. t ^uA£(t),£(u) ^r^t^ D u. 

Instead of ruling out co-location of concurrent transitions in general, essentially distributed nets permit 
concurrency of internal transitions — labelled X — at the same location. Externally distributed nets even 
allow concurrency between external and internal transitions at the same location. If the transitions t and 
v in the net of Figured] would both be labelled %, the net would be essentially distributed, although not 
distributed; in case only v would be labelled z the net would be externally distributed but not essentially 
distributed. Essentially distributed nets need not be structural conflict nets; in fact, any net without 
external transitions is essentially distributed. 

The following proposition says that up to ~ bSTh any essentially distributed net can be converted into 
a distributed net. 



'Alternatively, we could take := (r\[jc])* l~l [x]. 
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Proposition 3 For any essentially distributed net N there is a distributed net N' with N' ~bSTb 

Proof: The same construction as in the proof of Theorem Q] applies: N' differs from N by the addition, 
for each location [x], of a marked place pw\ that is connected through self-loops to all transitions at that 
location. This time there exists a bijection between the reachable ST-markings of N' and N that preserves 
the ST-transition relations between them. This bijection exists because a reachable ST-marking is a pair 
(M,U) with U a sequence of external transitions only; this follows by a straightforward induction on 
reachability by ST-transitions. From this it follows that N' ^bSTb D 



Likewise, up to «^ any externally distributed net can be converted into a distributed net. 
Proposition 4 [6] For any externally distributed net N there is a distributed net N' with N' N. 

Proof: Again the same construction applies. This time there exists a bijection between the markings 
of N' and N that preserves the step transition relations between them, i.e. the associated step transition 
systems are isomorphic. Here we use that the transitions in the associated LTS involve either a multiset 
of concurrently firing external transitions, or a single internal one. From this, step readiness equivalence 
follows. □ 

The counterexample in Figure [2] shows that up to N' ^fsTb N not any externally distributed net can be 
converted into a distributed net. Sequentialising the component with actions a, b and z would disable the 

a + c + 

execution — >■=>■ — >. 
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Figure 1: A fully marked M. 



v w 
Figure 2: Externally distributed, but not distributable. 



Definition 17 Given any Petri net N, the canonical co-location relation =c on Af is the equivalence 
relation on the places and transitions of Af generated by Condition (1) of Definition Q3] i.e. the smallest 
equivalence relation =o satisfying (1). The canonical distribution of Af is the distribution C that maps 
each place or transition to its =c-equivalence class. 

Observation 8 A Petri net that is distributed (resp. essentially or externally distributed) w.r.t. any distri- 
bution D, is distributed (resp. essentially or externally distributed) w.r.t. its canonical distribution. 

Hence a net is distributed (resp. essentially or externally distributed) iff its canonical distribution D 
satisfies Condition (2) of Definition [T31 (resp . Condition (2') or (2") of Definition IT6b. 



5 Distributable Systems 

We now consider Petri nets as specifications of concurrent systems and ask the question which of those 
specifications can be implemented as distributed systems. This question can be formalised as 

Which Petri nets are semantically equivalent to distributed nets? 



14 



On Distributability of Petri Nets 



Of course the answer depends on the choice of a suitable semantic equivalence. Here we will answer this 
question using the two equivalences discussed in the introduction. We will give a precise characterisation 
of those nets for which we can find semantically equivalent distributed nets. For the negative part of this 
characterisation, stating that certain nets are not distributable, we will use step readiness equivalence, 
which is one of the simplest and least discriminating equivalences imaginable that abstracts from internal 
actions, but preserves branching time, concurrency and divergence to some small degree. As explained in 
[6], giving up on any of these latter three properties would make any Petri net distributable, but in a rather 
trivial and unsatisfactory way. For the positive part, namely that all other nets are indeed distributable, 
we will use the most discriminating equivalence for which our implementation works, namely branching 
ST-bisimilarity with explicit divergence, which is finer than step readiness equivalence. Hence we will 
obtain the strongest possible results for both directions and it turns out that the concept of distributability 
is fairly robust w.r.t. the choice of a suitable equivalence: any equivalence notion between step readiness 
equivalence and branching ST-bisimilarity with explicit divergence will yield the same characterisation. 

Definition 18 A Petri net N is distributable up to an equivalence w iff there exists a distributed net N' 
with N' « N. 

Formally we give our characterisation of distributability by classifying which finitary plain structural 
conflict nets can be implemented as distributed nets, and hence as LSGA nets. In such implementations, 
we use invisible transitions. We study the concept "distributable" for plain nets only, but in order to get 
the largest class possible we allow non-plain implementations, where a given transition may be split into 
multiple transitions carrying the same label. 

It is well known that sometimes a global protocol is necessary to implement synchronous interaction 
present in system specifications. In particular, this may be needed for deciding choices in a coherent 
way, when these choices require agreement of multiple components. The simple net in Figure Q] shows 
a typical situation of this kind. Independent decisions of the two choices might lead to a deadlock. As 
remarked in [6], for this particular net there exists no satisfactory distributed implementation that fully re- 
spects the reactive behaviour of the original system. Indeed such M -structures, representing interference 
between concurrency and choice, turn out to play a crucial role for characterising distributability. 

Definition 19 LetAf= (5,7 \F,Mo,£) be a Petri net. Af has a. fully reachable pure M iff 
3t , u, v € T.'t n *u / A 'u n *v / A *t n *v = A 3M £ [M )'t U'kU'vCM. 

Note that Definition [19] implies that t ^ u, u ^ v and t ^ v. 

We now give an upper bound on the class of distributable nets by adopting a result from |6j. 

Theorem 2 Let N be a plain structural conflict Petri net. If N has a fully reachable pure M, then N is not 
distributable up to step readiness equivalence. 

Proof: In @ this theorem was obtained for plain one-safe netsJl The proof applies verbatim to plain 
structural conflict nets as well. □ 

Since is finer than this result holds also for distributability up to ~f sr6 (and any equivalence 

between and ^ STb )- 

In the following, we establish that this upper bound is tight, and hence a finitary plain structural 
conflict net is distributable iff it has no fully reachable pure M. For this, it is helpful to first introduce 
macros in Petri nets for reversibility of transitions. 

2 In (6 1 the theorem was claimed and proven only for plain nets with a fully reachable visible pure M; however, for plain 
nets the requirement of visibility is irrelevant. 
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5.1 Petri nets with reversible transitions 

A Petri net with reversible transitions generalises the notion of a Petri net; its semantics is given by 
a translation to an ordinary Petri net, thereby interpreting the reversible transitions as syntactic sugar 
for certain net fragments. It is defined as a tuple (S,T,Q.,i,F,Mq,£) with 5 a set of places, T a set 
of (reversible) transitions, labelled by £ : T — > Act U {t}, Q. a set of undo interfaces with the relation 
i C Q. x T linking interfaces to transitions, Mo G N 5 an initial marking, and 

F: (S X T X {in, early, late, out, far] — > N) 

the flow relation. When F{s,t,type) > for type G {in, early, late, out, far}, this is depicted by drawing an 

arc from s to t, labelled with its arc weight F(s,t,type), of the form <*, — «-^-, * , 

< > — , respectively. For t £T and type G {in, early, late, out, far}, the multiset of places fi pe G N 5 is given 
by t^is) = F(s,t,type). When s G t^ pe for rype G {in, early, late}, the place 5 is called a preplace of f of 
type type; when s G for type € {o«f, /ar}, 5 is called a postplace of f of type type. For each undo interface 
ft) Gil and transition t with j (ft),?) there must be places undo ffl (f), resets (t) and ack ffl (f) in S. A transition 
with a nonempty set of interfaces is called reversible; the other (standard) transitions may have pre- and 
postplaces of types in and out only — for these transitions t'" = *t and t° ut = t* ' . In case £1 = 0, the net is 
just a normal Petri net. 

A global state of a Petri net with reversible transitions is given by a marking M G N 5 , together with 
the state of each reversible transition "currently in progress". Each transition in the net can fire as usual. 
A reversible transition can moreover take back (some of) its output tokens, and be undone and reset. 
When a transition t fires, it consumes Y*typee{m, early. iate}^( s ^^ t yp e ) tokens from each of its preplaces s 
and produces Y,typee{om, far} F( s ',t,type) tokens in each of its postplaces s. A reversible transition t that has 
fired can start its reversal by consuming a token from undo ffl (?) for one of its interfaces ft). Subsequently, 
it can take back one by one a token from its postplaces of type far. After it has retrieved all its output of 
type far, the transition is undone, thereby returning F(s,t, early) tokens in each of its preplaces s of type 
early. Afterwards, by consuming a token from reset m (t), for the same interface ft) that started the undo- 
process, the transition terminates its chain of activities by returning F(s,t,iate) tokens in each of its late 
preplaces s. At that occasion it also produces a token in ack ffl (f). Alternatively, two tokens in undo ffl (?) 
and reset ffl (f) can annihilate each other without involving the transition t; this also produces a token in 
ack ffl (f). The latter mechanism comes in action when trying to undo a transition that has not yet fired. 

Figure [3] shows the translation of a reversible transition t with £(t) = a into an ordinary net fragment. 
The arc weights on the green (or grey) arcs are inherited from the untranslated net; the other arcs have 
weight 1. Formally, a net (S,T,£l,i,F,Mo,£) with reversible transitions translates into the Petri net con- 
taining all places S, initially marked as indicated by Mo, all standard transitions in T, labelled according 
to £, along with their pre- and postplaces, and furthermore all net elements mentioned in Table [T] Here 

denotes the set of reversible transitions in T. 

Transition label Preplaces Postplaces for all 

f - fire £(t) 

f-undOfl, T 

f-undo(/) T 

t- undone z 

t ■ reset a % 

f-elide ffl x 

Table 1 : Expansion of a Petri net with reversible transitions into a place/transition system. 



t"\ t ear 'y, t ,ate fired (f), t out ,t far t g 

undo ffl (f), fired(f) Pm(t), take(/,f) t G T^, i(co,t), f£t far 

take(/,/), / took(/,0 teT^,f£t^ r 

took(jV) p(t), t ear 'y teT^,f€ f /fl ' 

reset ffl (0, p a (t), p(t) t late , ack a (t) t G T^, i(co,t) 

undo ffl (?), reset m (t) ack ffl (?) t G T*~, i((0,t) 
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take(/,f) t . un do(/) took (/,0 
Figure 3: A reversible transition and its macro expansion. 
5.2 The conflict replicating implementation 

Now we establish that a finitary plain structural conflict net that has no fully reachable pure M is dis- 
tributable. We do this by proposing the conflict replicating implementation of any such net, and show that 
this implementation is always (a) essentially distributed, and (b) equivalent to the original net. In order 
to get the strongest possible result, for (b) we use branching ST-bisimilarity with explicit divergence. 

To define the conflict replicating implementation of a net N = (S,T,F,Mq,£) we fix an arbitrary 
well-ordering < on its transitions. We let b,c,g,h,ij,k,l range over these ordered transitions, and write 

- i#j iff i ^ j A *i fl 'j 7^ (transitions i and j are in conflict), and i = j iff i#jVi = j, 

- i < # j iff i < j A i # j, and i < # j iff i < # V i = j. 

Figure |4] shows the conflict replicating implementation of N. It is presented as a Petri net 

^(N) = (S / ,T / ,F',£l,i,Min 

with reversible transitions. The set Q. of undo interfaces is T, and for i G Q. we have i(i, t) iff t £ £2,-, where 
the sets of transitions 12,- € N r are specified in Figure [4] The implementation J?(N) inherits the places 
of N (i.e. S' 3 5), and we postulate that Mq\S = Mq. Given this, Figure |4] is not merely an illustration 
of <#(N) — it provides a complete and accurate description of it, thereby defining the conflict replicating 
implementation of any net. In interpreting this figure it is important to realise that net elements are 
completely determined by their name (identity), and exist only once, even if they show up multiple 
times in the figure. For instance, the place 7lh#j with h=2 and j=5 (when using natural numbers for the 
transitions in T) is the same as the place 7ij#i with j=2 and 1=5; it is a standard preplace of execute^ (for 
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undo,(f) 



undo„(initialise,) 
reset„(initialise J ) 
ack„ (initialise^) 

undo„(transfer^') 
^) reset„(transferj) 
ack„(transfer^) 



{initialise,; | c = i} + 
{transfer* | b < # c = i} 



reset, (?) 



Figure 4: The conflict replicating implementation 
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all i < # 2), a standard postplace of fetched^, as well as a late preplace of transfer^. A description of this 
net after expanding the macros for reversible transitions appears in Table [2] on Page [29] 

The role of the transitions distribute,, for p£S is to distribute a token in p to copies pj of p in the 
localities of all transitions j 6 T with p G 'j. In case j is enabled in N, the transition initialise,- will 
become enabled in J?(N). These transitions put tokens in the places pre^, which are preconditions for all 
transitions execute^, which model the execution of j at the location of k. When two conflicting transitions 
h and j are both enabled in N, the first steps initialise/, and initialise^ towards their execution in ^(N) 
can happen in parallel. To prevent them from executing both, execute^ (of j at its own location) is only 
possible after transfer'?, which disables execute^. 

The main idea behind the conflict replicating implementation is that a transition h € T is primarily 
executed by a sequential component of its own, but when a conflicting transition j gets enabled, the 
sequential component implementing j may "steal" the possibility to execute h from the home component 
of h, and keep the options to do h and j open until one of them occurs. To prevent h and j from stealing 
each other's initiative, which would result in deadlock, a global asymmetry is built in by ordering the 
transitions. Transition j can steal the initiative from h only when h < j. 

In case j is also in conflict with a transition /, with j < I, the initiative to perform j may subsequently 
be stolen by /. In that case either h and I are in conflict too — then I takes responsibility for the execution 
of h as well — or h and / are concurrent — in that case h will not be enabled, due to the absence of fully 
reachable pure Ms in N. The absence of fully reachable pure Ms also guarantees that it cannot happen 
that two concurrent transitions j and k both steal the initiative from an enabled transition h. 

After the firing of execute^- all tokens that were left behind in the process of carefully orchestrat- 
ing this firing will have to be cleaned up, in order to prepare the net for the next activity in the same 
neighbourhood. This is the reason for the reversibility of the transitions preparing the firing of execute^. 
Hence there is an undo interface for each transition i G T', cleaning up the mess made in preparation of 
firing execute^- for some j > # i. Q.i is the multiset of all transitions t that could possibly have contributed 
to this. For each of them the undo interface i is activated, by execute^- depositing a token in undo,-(f). 
After all preparatory transitions that have fired are undone, tokens appear in the places p c for all p S *i 
and c £ p*. These are collected by fetchf^, after which all transitions in Q.j get a reset signal. Those 
that have fired and were undone are reset, and those that never fired perform elide,-(f). In either case a 
token appears in ack,(7). These are collected by finalise', which finishes the process of executing i by 
depositing tokens in its postplaces. 




Figure 5: An example net. 
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The conflict replicating implementation is illustrated by means of the finitary plain structural conflict 
net N of Figure [5] The places and transitions a-q-b-s-c-x-d in this net constitute a Long M : for each 
pair a-b, b-c and c-d of neighbouring transitions, as well as for the pair a-d of extremal transitions, there 
exists a reachable marking enabling them both. Moreover, neighbouring transitions in the long M are in 
conflict: a#b, b#c and c#d, whereas the extremal transitions are concurrent: a ^ d. However, N has 
no fully reachable pure M: no M -shaped triple of transitions a-b-c, b-c-d or b-c-e is ever simultaneously 
enabled. 

In @ we gave a simpler implementation, the transition-controlled choice implementation, that works 
for all finitary plain 1-safe Petri nets without such a long M. Hence N constitutes an example where that 
implementation does not apply, yet the conflict replicating implementation does. In fact, when leaving 
out the z-e-branch it may be the simplest example with these properties. We have added this branch to 
illustrate the situation where three transitions are pairwise in conflict. 

Figure [6] presents relevant parts of the conflict replicating implementation J?(N) of N. The ten 
places of ,/V return in J?(N), but the transitions of ,/V are replaced by more complicated net fragments. In 
Figure [6] we have simplified the rendering of ,y{N) by simply just copying the five topmost transitions 
of N, instead of displaying the net fragments replacing them. This simplification is possible since the top 
half of N is already distributed. To remind the reader of this, we left those transitions unlabelled. 

In order to fix a well-ordering < on the remaining transitions, we named them after the first five 
positive natural numbers. The ordered conflicts between those transitions now are 1<*2, 2< # 3, 3< # 4, 
3< # 5 and 4< # 5. In Fi gure[6]we have skipped all places, transitions and arcs involved in the cleanup of 
tokens after firing of a transition. In this example the cleanup is not necessary, as no place of N is visited 
twice. Thus, we displayed only the non-reversible part of the transitions initialise^ and transfer^ — i.e. 
initialise, • fire and transfer^ -fire — as well as the transitions distribute^ and execute^-. Likewise, we 
omitted the outgoing arcs of execute'-, the places and those places that have arcs only to omitted 
transitions. We leave it to the reader to check this net against the definition in Figure [4] and to play the 
token game on this net, to see that it correctly implements N. 

In Section |7] we will show, for any finitary plain structural conflict net without a fully reachable 
pure M, that J?(N) ~ bSTb N, and that J?(N) is essentially distributed. Hence J? (N) is an essentially 
distributed implementation of N. By Proposition [3] this implies that N is distributable up to ~ bSTb - 
Together with Theorem |2] it follows that, for any equivalence between «^ and ~ bSTb , a finitary plain 
structural conflict net is distributable iff it has no fully reachable pure M. 

Given the complexity of our construction, no techniques known to us were adequate for performing 
the equivalence proof. We therefore had to develop an entirely new method for rigorously proving the 
equivalence of two Petri nets up to ~ bSTb , one of which known to be plain. This method is presented in 
Section [6] 



6 Proving Implementations Correct 

This section presents a method for establishing the equivalence of two Petri nets, one of which known 
to be plain up to branching ST-bisimilarity with explicit divergence. It appears as Theorem [3] First 



approximations of this method are presented in Lemmas [5] and [6] The progression from Lemma [5] to 
Lemma [6] and to Theorem [3] makes the method more specific (so less general) and more powerful. By 
means of a simplification a similar method can be obtained, also in three steps, for establishing the 
equivalence of two Petri nets up to interleaving branching bisimilarity with explicit divergence. This is 
elaborated at the end of this section. 
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Definition 20 A labelled transition system (<5,T, Tl ) is called deterministic if for all reachable states 
Tie [Tl ) we have Tl and if Tl Tl' and Tl SPT" for some a G 2lct then Tl' = Tl" . 

Deterministic systems may not have reachable T-transitions at all; this way, if Tl Tl' and Tl =^4> Tl" 
for some a G 2lct* then SOT' = Tl" . Note that the labelled transition system associated to a plain Petri net 
is deterministic; the same applies to the ST-LTS, the split LTS or the step LTS associated to such a net. 

Lemma 4 Let (<3i,Ti,5[R 0l ) and (6 2 , r £ 2 ,Tl o2 ) be two labelled transition systems, the latter being de- 
terministic. Suppose there is a relation SS C <3\ x 62 such that 

(a) Tl ol mTl ol , 

(b) if Tl x 3§Tl 2 and Tl x Tl\ then TX X MTX%, 

(c) if Tl^Tl 2 and Tly Tl\ for some a G 2lct then 39H 2 . Tl 2 9tt' 2 A TX X SSTX 2 , 

(d) if Tli^Tl 2 and WT 2 for some a G 2tct then either SDTi or Tl x 

(e) and there is no infinite sequence Tl\ Tl\ — v -> Tl" — • • • with 9Ki^9Jt2 for some Tl 2 . 
Then ^ is a branching bisimulation, and the two LTSs are branching bisimilar with explicit divergence. 

Proof: It suffices to show that g$ satisfies Conditions 1-3 of Definition [71 the condition on explicit 
divergence follows immediately from (e), using that a deterministic LTS admits no divergence at all. 

1. By (a). 

2. In case a = T this follows directly from (b), and otherwise from (c). In both cases Tl\:=Tl 2 and 
when a = % also Tl' 2 := Tl 2 . 

3. Suppose Tli.^Tl 2 and Tl 2 Tl' 2 . Since (62,^2,^02) is deterministic, a = a G Act. By 
(d) we have either Tl{ Tl\ or Tl\ — Tl\ for some Tl\ G 61. In the latter case (b) yields 
Tl\SSTl 2 , and using (d) again, either Tl\ A Tl\ or 9Jt} A SPtf for some TX\ 6 61 . Repeating 
this argument, if the choice between a and T is made k times in favour of T (with & > 0), we obtain 
Tl\dSTl 2 (where Tl\ := 9Jti) and either Tl\ 9Jt^ +1 or Tl\ -A 33^ +1 . By (e), at some point the 
choice must be made in favour of a, say at Tl\. Thus Tl\ => Tl\ with Tl\0§Tl 2 . We 
take SUtj and 93^ from Definition [7J to be StJtf and Tt x +X . It remains to show that Tl\ +l 38Tl' 2 . By 
(c) there is an Tl'-!, g © 2 with Tl 2 £D^' and 9Jl^ +1 ^9?I 2 / . Since (62, £2,^02) is deterministic, 
Tl' 2 = Tl'{. ' ' □ 

Lemma 5 LetN= (S,T,F,Mq,£) mdN' = (S',T', F ',M' ,£') be two nets, N' being plain. Suppose there 
is a relation ^ C (N s xN r )x (N 5 ' x N 7 ") such that 

(a) (M o ,0)^(M£,0), 

(b) if (M h Ui)^(M' v U[) and (Mi,£/i) A (M 2 ,t/ 2 ) then (M 2 ,U2)&(M[,U[), 

(c) if (Mi , f/i)^ (Af(, U{ ) and (Mi , U\) -h (M 2 , t/ 2 ) for some 17 G Act ± 

then 3(M 2 ,U^). (M[,U[) (M 2 ,U 2 ) A (M 2 ,U 2 )£% (M 2 ,U 2 ), 

(d) if (Mi , t/i )^ (M( , C/j' ) and (M[ , [/( ) ^ with 17 G Act ± then either (Mi , V\ ) or (Mi , U\ ) - L > 

(e) and there is no infinite sequence (M,U) (M\,U\) — H> (M 2 ,U 2 ) — ^ • • • with (M, J7)^ (M', C/') 
for some (M',U'). 

Then ^ is a branching split bisimulation, and Af W. 
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Proof: That N and N' are branching split bisimilar with explicit divergence follows directly from Lemma 
H]by taking (@i,Ti,S0T o i) an d (©2j3<2>2tto2) to be the split LTSs associated to N and N' respectively. 
Here we use that the split LTS associated to a plain net is deterministic. The final conclusion follows by 
Proposition 12 □ 

Lemma [5] provides a method for proving N ~ bSTb N' that can be more efficient than directly checking 
the definition. In particular, the intermediate states 971^ and the sequence of T-transitions =>■ from 
Definition |7] do not occur in Lemma 01 and hence not in Lemma [5] Moreover, in Condition (d) one no 
longer has the match the targets of corresponding transitions. Lemma[6]below, when applicable, provides 
an even more efficient method: it is no longer needed to specify the branching split bisimulation , and 
the targets have disappeared from the transitions in Condition [2c] as well. Instead, we have acquired 
Condition [T] but this is structural property, which is relatively easy to check. 

Lemma 6 Let N = (S,T,F,M ,£) be a net and N' = (S',T',F',M' ,£') be a plain net with S' C S and 
M' =M \ S'. Suppose: 

1. V? G T, l{t) ± x. 3t' G T', i{t') = £{t). 3G G/ N r , 1{G) = 0. \t'\ = {t + G\. 

2. For any G G/ Z r with £(G) = 0, M'gN 5 ', I/'eN^'and U GJN r with £'(U')=e(U), M' + *U' G 
[Af' ) N > and M:=M' + 'U' + (M -M ) + [G] - 'U G N 5 with M+'U G [M ) N , it holds that: 

(a) there is no infinite sequence M — > Mi — > M 2 — > ■ ■ ■ 

(b) if M' with a G Act then M or M 

(c) and if M with a G Act then M' -^-h 

Then N*t STb N>. 

Proof: Defined C (N s xN r ) x (N 5 ' x N 7 "') by (M,U)38(M',U') (U')=£(U) AM' +*U' e [M' ) N/ 
A3G G/ Z r . £(G) =®AM + 'U =M' + 'U' + (M -M ) + [G] G [M Q ) N . It suffices to show that 0§ 
satisfies Conditions (a)-(e) of Lemma [5] 

(a) TakeG = 0. 

(b) Suppose {M U U V )38(M[,U[) and {M\,U{) ^ (M 2 ,U 2 ). Then £' (U[) = t(U\) f\M[ +'U{ G [M' Q ) N > 
A 3G G/ Z 7 ". 1(G) = AMi = A#J +'t/{ + (M — M ) + [G] -'t/j AM! + •£/ G [M ) N and moreover 
Mi M 2 A t/ 2 = f/i • So Mi [*)M 2 for some t G T with l(t) = T. Hence M 2 = M x + [f ] = M[ + 
•f/f + (M -M ) + [G + tj - 9 Vi. Since (Mi + *U l )[t){M 2 + m U{), we have M 2 + "1^ G [M ) N . 
Since also £(G + 1) = it follows that (M 2 ,Ui)@ (M[ ,U[). 

(c) Suppose (Mi,U l )33(M[ t U[) and (M b £/i) (M 2 ,U 2 ), with T] G Act* Then £'(U[) =£(U 1 ), 
M[ +'U[ G [M' Q ) N , and 

3G€ / Z T .£(G) = 0A3fi+ , t^i = Mi+7/ 1 ' + (M -M ) + [Gj G [M ) N . (1) 

First suppose T] = a + . Then 3* G T. £(t) = af\M\\t) AM 2 =M\ — 'tf\U 2 = U\ + {t}. Using that 
Mi with a G Act, by Condition l2cl we have M[ i.e. Mj [f'} for some t' G T with £'(/') = a. 
Let M 2 := M[ - 't and := U[ + {t'}. Then (M[,U[) (M 2 ,^). Moreover, £(Z7 2 ) = £(U 2 ), 
M' 2 + = M[ + *U[ G [M' Q ) N > and M 2 + *t/ 2 = Mi + *U\. In combination with <Q} this yields 

M 2 +*£/ 2 =Mi + = Mj + (M - M' Q ) + [G] = M 2 + + (M - M ) + [G] , 



so (Mi,Ui)3B{M' 2l Ufi. 
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Now suppose r\ =cT. Then 3t£U { . £(t) = aAU 2 = U i -{t} AM 2 = M X +t\ Since £'(U[) = £(U l ) 

there is a t' G £/( with £(t') = a. Let M£ := AfJ -H" and :=U[- {/}. Then (Mj , Z7{) -2-> (M£, ££[). 

By construction, £(U 2 ) = £{U' 2 ). Moreover, M 2 + m U 2 = M Y +t' + U U\ -*t = {M { +'U 1 ) + [f], 

and likewise , . , . , 

M' 2 + 'ui = (M[ + 'U[) + lt'j (2) 

so (Mj + *U[) [*')(M£ + 't^). Since Mj +*£/( G [M' ) N ,, this yields Af' 2 + 'U£ G [M' Q ) N i. Moreover, 
M 2 +'U 2 =Mi+t' +'U\ -'t = Mi +'U\ + {tj G [M ) w . Furthermore, combining © and © gives 

3G € f 7L T . £(G) = d)AM 2 +'U 2 - {tj = M 2 +'U 2 ~ - {t'J + (M -M' Q ) + {Gj. (3) 

By Condition Q] of Lemma H 3t" G T', £{t") = £{t). 3G t G/ N r , ^(G,) = 0. [f] = [f" - G,j. Since 
iV' is a plain| net, it has only one transition ? t with £{t^)=a, so t" = t' . Substitution of ft' — G t J for t 



in © yields 

3G G/ Z 7 ". £(G) = d) AM 2 +'U 2 =M' 2 +'U 2 + (Af -M„) + [G - G,] . 

Since £{G - G t ) = we obtain (M 2 ,U 2 )& (M 2 ,U^). 

(d) Follows directly from Condition [2b] and Definition [Til 

(e) Follows directly from Condition l2al and Definition ITT1 □ 

In Lemma[6]a relation is explored between markings M and M+ {Hj (where M is M' +*U' + (Mq — M'q) 
of Lemma[6l H := G, and M + {H} is M +*U of LemmaO. In such a case, we can think of M as an 
"original marking", and of M + \H\ as a modification of this marking by the token replacement \H\. 
The next lemma provides a method to trace certain places s marked by M + \H\ (or transitions t that 
are enabled under M + [//J) back to places that must have been marked by M before taking into account 
the token replacement \HJ. Such places are called faithful origins of s (or t). In tracking the faithful 
origins of places and transitions, we assume that the places marked by M are taken from a set S + and 
the transitions in H from a set T + . In Lemma [7] we furthermore assume that the flow relation restricted 
to SUT + is acyclic. We will need this lemma in proving the correctness of our final method of proving 
N^ STb N>. 

Definition 21 Let N = (S,T,F,M ,£) be a Petri net, T+ C T a set of transitions and S + C S a set of 
places. 

• A path in ,/V is an alternating sequence 71 = xqX\x 2 ■ ■ ■ x n G (S U T)* of places and transitions, such 
that F(x,,x I+ i) >0for0</<«. The arc weight F(n) of such a path is the product IIq F(x,-,x;+i). 

• A place s G S is called faithful w.r.t. T + and 5 + iff |{^} HS + \ +Y, t eT+F(t,s) = 1. 

• A path xqX\x 2 ■•■Xn G (SUT)* from x to x n is faithful w.r.t. T + and S + iff all intermediate nodes 
X; for < i < n are either transitions in T + or faithful places w.r.t. T + and 5 + . 

• For x £ SUT, the infinitary multiset *x G (N U {°°}) 5+ of faithful origins of x is given by 
*x(s) = sup{F(7l) | 71 is a faithful path from s G S + to x}. (So *x(s) = if no such path exists.) 

Suppose a marking M 2 is reachable from a marking M\ G N s+ by firing transitions from T + only. Then, 
if a faithful place s bears a token under M2 — i.e. M 2 (s) > — this token has a unique source: if s G 5 + it 
must stem from Mi and otherwise it must be produced by the unique transition t G T + with F(t,s) = 1. 

In a net without arc weights, *x is always a set, namely the set of places s in S + from which the flow 
relation of the net admits a path to x that passes only through faithful places and transitions from T + 
(with the possible exception of x itself). For nets with arc weights, the underlying set of *x is the same, 
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and the multiplicity of s G *x is obtained by multiplying all arc weights on the qualifying path from s 
to x; in case of multiple such paths, we take the upper bound over all such paths (which could yield the 
value oo). 

Observation 9 Let (S, T,F,Mq,£) be a Petri net, T + C T a set of transitions and S + C S a set of places. 
For faithful places s and transitions t G T we have 



Lemma 7 Let (S,T,F,Mq,£) be a Petri net, r + C r a set of transitions such that F \ (SUT + ) is acyclic, 
and S + C 5 a set of places. Let M G N s+ and G/ N r+ , such that M +[//]] G N s . Then 

(a) for any faithful place s w.r.t. T + and S + we have (Af + [#])(*) • *s < Af; 

(b) for any k G N, and any transition f with (Af+ [#])[&•{?}), we have it- *f < Af. 
Proof: We apply induction on \H\. 

(a) . When (Af + {Hj ) (j) = it trivially follows that (M + J//] ) (j) • *j < Af . So suppose (Af + [#] ) (s) > 0. 
Then either s G 5 + or there is a unique ? G T + with //(?) > and F(t,s) = 1. In the first case, using that 
s G «' for no u G T+, we have (Af + [#]) (j) <Af(j), so (M+ ■ *^ < M(s) ■ {s} < M. 

In the latter case, (Af+ [#])($) <M(j) + £ Mer+J ff(M) -F(m,j) and *5 = 

Let ?7 := {w G T + \ H{u) > A uF + t} be the set of transitions occurring in H from which the flow 

relation of the net offers a non-empty path to t. As F \ (SU T + ) is acyclic, t ^ U, so H \ U < H. Let 
be any place with j' E'u for some transition u £ U. Then, by construction of £/, it cannot happen 

that s' G v* for some transition v£U with H(v) > 0. Hence (M+(H \Uj)(s') > (M+lH})(s') > 0. 

Moreover, for any other place s" we have '(H \U)(s") = and thus (M+ lH\Uj)(s") > M{s") > 0. It 

follows that M+ {H\U}€ N 5 . 

For each s'" G 't we have (H -H \U)'(s"') = and *(H -H \U){s"') >H(t)- *t(s"') and therefore 

0< (M+lH])(s"') < (M+lH\U})(s"')-H(t)- 9 t(s"'), and hence H(t) ■ m t < M+ [H \Uj. It follows 

that (M+lH \U})[H(t) ■ {t}). Thus, by induction, (M+ ■ *J < -*t<M. 

(b) . Let (Af + {?}). For any faithful s G V we have (Af + [#])(?) > k-F(s,t), and thus, using (a), 



The following theorem is the main result of this section. It presents a method for proving ,/V ^STb ^' 
for ,/V a net and N' a plain net. Its main advantage w.r.t. directly using the definition, or w.r.t. application 
of Lemma [5] or [6l is the replacement of requirements on the dynamic behaviour of nets by structural 
requirements. Such requirements are typically easier to check. Replacing the requirement "Af + 'U G 
[Mq)n" in Condition [5] by "Af + 'U G N s " would have yielded an even more structural version of this 
theorem; however, that version turned out not to be strong enough for the verification task performed in 
Section [7] 

Theorem 3 Let N = (S,T,F,M ,£) be a net and N' = (S 1 ,T' ,F' ,M' ,£' ) be a plain net with 5' C 5 and 
M' Q = M \ S'. Suppose there exist sets T + C T and T C T and a class NF C 7L T , such that 

1. F \ (SL)T + ) is acyclic. 

2. F \ (5U T~) is acyclic. 





k ■ F (s, t) ■ *s < (Af +{HJ) (s) ■ *s < Af . 



Therefore, by Observation [9j k ■ *t = U{^ ■ F(s, t) ■ *s \ s G 't A s faithful} < Af . 



□ 
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3. Vt£T, i(t)^T. Bt'eT', £(t')=£{t). (V < *? A3G Gy- N 7 ", £(G) = 0. p'J = [? + G]). 
Here *t is the multiset of faithful origins of t w.r.t. T + and 5" U {s G 5 M (s) > 0}. 

4. There exists a function / : T — > N with > for all t G T, extended to 7L T as in Definition [T] 
such that for each G G/ Z r with 1(G) = there is an H G/ AF with £(//) = 0, [#] = [G] and 
/(//)- /(G). 

5. For every M' G N s ', £/' G N 7 " and £/ G N 7 with ^(t/) = £'([/') and M' + V G [Mq)#', there is an 
# M ',t/ € / N r+ with 1(Hm>,u) = 0, such that for each He f NF with M :=M' + *£/' + (M - M' ) + 
{Hj-'U G N s and M + 'U G [M ) w : 

(a) M^i u :=M' + 'U'+ (M - Mq) + [// M ',c/J — *i/G N 5 , 

(b) if M' -H> with a G Act then M M ',[/ 

(c) H < H M , M . 

(d) if H(u) < Othen u G T , 

(e) if #(m) < and //(f) > then *u n V = 0, 

(f) if //(w) < and (M +'t/) [f) with i(t) / T then *w n m t = 0, 

(g) if (M+'U) [{t}+{u}) and and t', u' G 7" with £'(t') = £{t) and f («') = £( B ), then VnV = 0. 
Then AT ^ N'. 

Proof: It suffices to show that Condition |2] of Lemma [6] holds (for Condition Q] of Lemma [6] is part of 
Condition E]above). So let G G/ 7L T with £(G) = 0, Af' G N s ', £/' G N 7 "' and U G N r with £'(!/') = £(£/), 
M'+V G [M' Q ) N >, M :=M'+'U'+(M -M' Q )+lG}-*U GN S andM + TJ G [Mb)y. 

(a) Suppose M — Mi — M 2 — -> • ■ •■ Then there are transitions f; G T with ■£(?,) = %, for all i > 1, 
such that M[t l )M l [t 2 )M 2 [t3) As also (M +*U)[t 1 )(M l +*U)[t 2 )(M 2 +'U)[t 3 ) • • •, it follows that 
{Mi +*U) G [M Q ) N for all i > 1. Let G := G and for all i > 1 let G m := G, + {/,}. Then l(Gi) = 
and Mt = M' +'U' + (M -M ) + [G,-] -"//. Moreover, /(G i+1 ) = /(G,) + /(f f ) > /(G,). For 
all i > 1, using Condition H let Hi G/AF be so that {Hi} = [G,-] and /(//,)= /(G ; -). Then M ; = 
M' + V + (Mo—Mq) + [#",] -•£/ and /(// ) < < /(H 2 ) < • •• However, from Condition [5c] 
we get f(Hi) < f(H M i) for all i > 1. The sequence M — -> Mi — ^ M2 — l -+ • • • therefore must be finite. 

(b) Now suppose M' with a G Act. By Condition|4]above there exists an H G/ M 7 such that ^(//) = 
and [#] = [G], and hence M = M' +*U' + (M Q -M' ) + {Hj —'U. Let H := {u G T | H(u) < 0}. 

• First suppose H ^ 0. By Condition |5dl ff" C T . By ConditionEl < := (F f (SU r _ ))+ is 
a partial order on 5U T - , and hence on Let m be a minimal transition in //~ w.r.t. < . By 
definition, for all s G S, 

M(s)=M\s)+'u\s) + (M Q -M' )(s)+£H(t)-F(t,s)+Y J ~H(t)-F(s,t) + 1 £-U(t)-F(t,s). (4) 

teT teT teu 

As Mq = Mo f 5', we have Mq < Mo. Hence the first three summands in this equation are always 
positive (or 0). Now assume s G 'u. Since u is minimal w.r.t. <~, there is no t G T with H (t) < 
and F(t,s) 7^ 0. Hence also all summands //(f) -F(t,s) are positive. By Condition l5el there is 
no t G T with //(f) > and F(s,t) ^ 0, so all summands —H(t) -F(s,t) are positive as well. By 
ConditionEH there is no t G T with U(t) > and F(s,t) / 0, for this would imply that £(t) ^ z 
and (M +'U)[t), so no summands in (01) are negative. Thus < —H(u) -F(s,u) < M(s). Since 
H(u) < — 1, this implies M(s) > F(s,u). Hence u is enabled inM. As £(u) = X, we haveM — x -+. 
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• Next suppose H~=% but H ^ U w ,v- Let#^ := {ueT \H M ^ u (u)-H{u) > 0}. 

by Condition [5c] Since // M , jC/ G/ N r+ , C T+. By ConditionCD <+:= (F f (5U r+))+ is a 
partial order on S U T + , and hence on H"" . Let m be a minimal transition in w.r.t. < + . We 
have M = M' +'U' + (M —M' ) + [# M / >£7 + {H-H WfU )\ -'U = M M ',u + iH-H M >,ul Hence, 
for all s £ S, 

M(s) = Mm'.u (s) + £ (H - H M , tU )(t) ■F(t,s) + '£-(H-H M ,, u )(t)-F (s, t) . (5) 

teT teT 

By Condition [5al M M i jj G N s . By Condition |5c] H — H M i u < 0. For s G 'u there is moreover no 
t G /T""' with s G ?*, so no ? G T with {H — H M i y){t) < and F(t,s) ^ 0. Hence no summands in 
© are negative. It follows that < -(H-M M ,y)(u)-F{s,t) < M(s). Since (H-H MI U )(u) < 
— 1, this implies M(s) > F(s, u). Hence u is enabled in M. As £(u) = T, we have M — >. 

• Finally suppose H = Hm'.u- Then M = Mm',u an d M — > follows by Condition l5bl 

(c) Next suppose M with a G Act. Then there is a t G T with i(t) =a^x andM[?). So (M+'U)[t). 
We will first show that (M 1 +'U') -^-h By Condition H there exists an H G / NF C N r such that 
£(flb) = and [#ol = [<j], and hence M+'U = M 1 +'V + (M -M' ) + |Hb] G [M ) w . For our first 
step, it suffices to show that whenever H £ f NF with M H := M' +'U' + (M - Mq) + [#] G [Mo) 
and Mn[t), then (M' +*U') —±. We show this by induction on f {Hm'.u ~H), observing that 
f[H M >jj-H) G N by Conditions l5c]( with empty U) andg] 
We consider two cases, depending on the emptiness of H := {u G T \ H(u) < 0}. 
First assume H = 0. Then H G/ N r . By Condition [5c] (with empty U) we even have H G/ N r . 
Let *f denote the multiset of faithful origins of t w.r.t. T + and 5+ := 5" U {s G 5 | M (s) > 0}. By 
Lemma[7];b), taking k = 1 , substituting M' +*U' + (M - M ) for the "M" of that lemma, and using 
Condition [TJ of Theorem El *t < M' +'U' + (M - M ). So by Condition [3] of Theorem [3] there is 
at' eT' with = £(t) and V < M' +*U' + {Mq — M'q). Since V G N 5 ' and M = M \S', this 
implies Y < M' +'[/'. It follows that (M' +'U')[t') N , and hence (M f +*U') 
Now assume H ^ 0. By the same proof as for (b) above, case H ^ 0, there is a transition u G H 
that is enabled mM H . SoM H [u)Mi forsomeMi G [Mq) n , andMi =M / +*t/ / +(M -M ) + [#+«]]. 
By Conditional of Theorem [3] (still with empty ?7), , «n , f = 0, and thus M x [t). By Condition [4] of 
Theorem [3] there exists an H Y e f NF such that l(Hi) = %, \H\\ = \H + u\, and f{H x )=f(H + u) > 
f(H). Thus M { = M Hl and /(// M ',j/ -Hi)< f(H M >,u -H).By induction we obtain (M' +'U') 
By the above reasoning, there is a t' G T' such that f (?') = and (M' +'U')[t'). Now take any 
u' G ?7'. Then there must be an u G U with f (V) = l(u). Since M[f), we have (M+'U)[{t }+{u}} 



and by Condition Bg] we obtain V n *«' = 0. It follows that M'[t'), and hence M' — >. □ 



Digression: Interleaving semantics 

Above, a method is presented for establishing the equivalence of two Petri nets, one of which known 



to be plain up to branching ST-bisimilarity with explicit divergence. Here, we simplify this result into 
a method for establishing the equivalence of the two nets up interleaving branching bisimilarity with 
explicit divergence. This result is not applied in the current paper. 

Lemma 8 LetN= (S,T,F,Mq,£) andW = (S' ,T' ,F',M' ,£') be two nets, N' being plain. Suppose there 
is a relation S3 C N s x N s ' such that 

(a) Mo^M' , 
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(b) if Mi 3M[ and M\ M 2 then M 2 SSM\ , 

(c) if M X MM[ and Mi M 2 for some a G Act then 3M 2 . Mj M' 1 NM 1 3$M' 2 , 

(d) if Mi^M[ and Mj for some a G Act then either Mi or Mi 

(e) and there is no infinite sequence M — ^ Mi — ^ M 2 — v -> ■ ■ ■ with MS3M' for some M'. 
Then N and N' are interleaving branching bisimilar with explicit divergence. 

Proof: This follows directly from Lemma|4]by taking (61,^1,9^01) and (& 2 , r Z 2 ,Wl o2 ) to be the inter- 
leaving LTSs associated to N and N' respectively. Here we use that the LTS associated to a plain net is 
deterministic. □ 

Lemma 9 Let N = (S,T,F,M Q ,£) be a net and N' = (S r ,T r ,F',M r ,£') be a plain net with 5' C 5 and 
M = M \ S'. Suppose: 

1. V? G T, £{t) ± T. 3t' G r, £(t') = £{t). 3G G/ N r , £(G) = 0. p'J = [f + G]. 

2. For any G G/ Z r with £(G) = 0, M' G [M ) W / and M := M'+(M -M )+|[G] G [M )jv, it holds that: 

T T T 

(a) there is no infinite sequence M — > M\ — > M 2 — > 

(b) if M' with a G Act then M or M 

(c) and if M with a G Act then M' 

Then A" and A"' are interleaving branching bisimilar with explicit divergence. 

Proof: Define SB C N s x N 5 ' by M<^M' :^M' G [M ) W / A 3G G/Z r . M = M'+(Mo-M£)+[G] G [M Q ) N 
A £(G) = 0. It suffices to show that 3$ satisfies Conditions (a)-(e) of Lemma[8j 

(a) TakeG = 0. 

(b) Suppose Mj^Mj and Mi -A M 2 . Then 3G G/ Z r . M Y =M[ + (M - M ) + [G] A £(G) = and 
BtGT. £{t) = TAM 2 =Mi + Itj = M[ + (M - M ) + [G + fJ. Moreover, Mi G [M ) N and hence 
M 2 G [M Q ) N - Furthermore, M{ G [M ) W / and £(G + t) = 0, so M 2 S8M[. 

(c) Suppose Mi^Mj and Mi M 2 . Then 3G E f TL T . M x =M[ + (M - M ) + [G] A £{G) = and 
3teT. £(t) =a^TAM 2 =M l + it}= M[ + (M - M ) + [G + 1] . Moreover, Mi G [M ) N and 
hence M 2 G [M ) w . Furthermore, M[ G [M )V By Condition Q] of Lemma |9l 3t' G T', £(?')=^(f). 
3G f G/N r , £(G r ) = 0. [f] = {t' - G t j. Substitution of \t' - G,j for t yields M 2 =M[ + [f'jj + 
(M -M ) + [G - G,]. By Condition E3 M[ so Mj A M 2 for some M 2 G [M' ) N '. As f' 
is the only transition in T with £'(t') = a, we must have M[[t')M' 2 . So Mj + \t'\ = M' 2 . Since 
£(G - G t ) = it follows that M 2 ^M 2 . 

(d) Follows directly from Condition l2bl 

(e) Follows directly from Condition [2a] □ 

The above is a variant of this Lemma [6] that requires Condition |2] only for U = U' = 0, and allows to 
conclude that N and N' are interleaving branching bisimilar (instead of branching ST-bisimilar) with 
explicit divergence. Likewise, the below is a variant of Theorem [3] that requires Condition [5] only for 
U = U' = 0, and misses Condition [5g| 

Theorem 4 Let N = (S,T,F,M ,£) be a net and N' = (S f , T',F',M' ,£' ) be a plain net with 5' C 5 and 
M' =M Q \ S'. Suppose there exist sets T + QT and T QT and a class NF C Z r , such that 

1^1. Conditions [T]-@] from Theorem [3] hold, and 
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5. For every reachable marking M' G [M' Q ) N > there is an H M t G / N r+ with £(H M i) = 0, such that for 
each HE/NF with M :=M' + (M - M' Q ) + [Hj G [M } w one has: 

(a) M M , :=M' + (M - M' Q ) + {H M \ G N s , 

(b) if M' -H> with a G Act then M M ' 

(c) // < // M ', 

(d) if //(m) < Othen w G r~, 

(e) if H(u) < and H(t) > then *nnV = 0, 

(f) if Hiii) < and M[f ) with £(f ) ^ T then *m n V = 0. 

Then ,/V and N' are interleaving branching bisimilar with explicit divergence. 

Proof: A straightforward simplification of the proof of Theorem [3] □ 



7 The Correctness Proof 

We now apply the preceding theory to prove the correctness of the conflict replicating implementation. 

Theorem 5 Let N be a finitary plain structural conflict net without a fully reachable pure M. 
Then J?(N)^ STb N. 

Proof: In this proof the given finitary plain structural conflict net without a fully reachable pure M will 
beN' = (S',T',F',M' ,£'), and its conflict replicated implementation is calledN = (S, T,F,M ,£). 

This convention matches the one of Section [6j but is the reverse of the one used in Section [5J it pays off 
in terms of a significant reduction in the number of primes in this paper. 

For future reference, Table [2] provides a place-oriented representation of the conflict replicating im- 
plementation of a given net N' = (S' , T' ,F' ,M^,£'), with the macros for reversible transitions expanded. 
Here [73= {initialise/ | ; G T'} U {transfer' 1 | h < # j G T'}, whereas (transfer'?)^'" = {trans^-out} and 
(initialise;)^ = {pre^ | k > # j} U {trans^-in | h < # j}. 

We will obtain Theorem[5]as an application of Theorem[3] Following the construction of ,/V described 
in Section [5^2] we indeed have S' C5 and M' Q = Mq \ S' . Let T + C T be the set of transitions 

distribute^ initialise^ - fire transfer; ■ fire (6) 

for any applicable values of p G S' and h, j G T'. Furthermore, T := (T\ (T + U {executed | i < # j G T'})). 
We start with checking Conditions [TJ [2] and [3] of Theorem [3] 

[j] Let < + be the partial order on T + given by the order of listing in © — so initialise, • fire < + 
transfer;- fire, for any i G T' and h< # j G T' , but the transitions transfer; - fire and transferf - fire for 
^ (k,l) are unordered. By examining Table [2] we see that for any place with a pretransition t 
in T + , all its posttransitions u in T + appear higher in the < + -ordering: t < + u. From this it follows 
thatF f (5UT+) is acyclic. 

12 Let < be the partial order on T given by the row-wise order of the following enumeration of T : 

?-undo,- transfer'- • undo(/) transfer; ■ undone initialise; • undo(/) initialise; • undone 
fetchf',' fetched',- t • reset; ? - elide, finalise' 

l iJ J 

for any t G {initialise;, transfer'?} and any applicable values of f£S, p G S', and h,i,j,cE T'. By 
examining Table[2]we see that for any place with a pretransition t in T , all its posttransitions u in 
T appear higher in the <~-ordering: t < u. From this it follows that F \ (SUT~) is acyclic. 
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Place 



Pretransitions arc weia hts Posttransitions arc weig hts for all 



P 

Pc 

% c (marked) 
P re i 



trans}-in 



trans"-out 



Kj#i (marked) 

fetchf} c -in 
fetchf' ; c -out 



finalise' F'(i,p) 
( distribute,, 

[initialise^ • undone F'(p,c) 

initialiser • reset,- 

J initialise,- • fire 

| execute} 

f i n itia I ise 7 • fire 

[transfer'- • undone 

J transfer} 1 • fire 

| execute} 

J fetched} 

[transfer/ • reset c . 

execute} 

fetch?/ 



distribute^ (rfp'/o) 
initialise c • fire f '(p,c) 
fetch?/ F'(pj) 
initialiser ■ fife 
executes- 
initialise, • undo(pre}) 
transfer}- ■ fire 
initialise,- • undo(trans'--in) 
execute} 

transfer'- • undo(trans'--out) 

execute} 

transfer/ • fire 

fetch?/ 

fetched',- 



pes', i G *p 
peS', cep* 
j > # i G p' 

i = c€T' 

j >* i G T 

h<*je r 

h<#j£T', i< # j 

i< # j< # l£T', c = l 

j > # i€T', p€'i, c£p* 
j > # ieT', pe'i, cep' 



undo,(?) 
reset,- (?) 
ack,-(?) 
fired(?) 
Pi(t) 

take(/,f) 
took(/,f) 

p(0 



execute} • fire 
fetched} 

Preset,-, ? ■ elide, 

t ■ fire 

t ■ undo, 

t ■ undo,- 

t ■ undo(/) 

t ■ undone 



?-undo,-, t -elide,- 

t- reset,, t -elide,- 

finalise' 

t ■ undo, 

t ■ reset,- 

f -undo(/) 

t ■ undone 

t ■ reset,- 



j >* i GT',te £2/ 
j ># i eT',te a, 

i G T , t G £2, 
t G T*~, Q.iBt 
t G T*~, &i3t 
t€T*~, Q-iBt, f£tf' a 
t€T<~, fet far 
t G T*~, Cli3t 



Table 2: The conflict replicating implementation. 



[3] The only transitions t G T with £(t) 7^ T are execute}, with i <* j G T' . So take i < # j G T' . Then the 
only transition t' G T' with i'(t') = ^(execute}) is i. Now two statements regarding i and execute} 
need to be proven. For the first, note that, for any p G *i, the places p, pi and pre} are faithful w.r.t. 
T + and 5' U {s G S \ Mq(s) > 0}. Hence p distribute,, p\ initialise,- • fire pre} execute} is a 
faithful path from p to execute}. The arc weight of this path is F'(p,i). Thus *i < * execute}. 
The second statement holds because, for all i < # j G T', 

p] = [execute} (F' (/?,/) -distribute,, + 52 fetchf/) + fetched} + finalise' + 52 * -elide,-]]. 
pe'i cep' teCij 

(V) 

To check that these equations hold, note that 
[distribute,,] = -{p} + {p c \ c G p'}, 

[execute}] = -{7Cj#i \ I >* ;} + {fetchf/-in | p G % c G p*} + {undo,(f) 1 1 G ft,-}, 

[fetch,'';;; = -{fetchf/-in} - F'(p } i) '{p c } + {fetch^ c -out}, 

[fetched}] = -{fetchf/-out | p G *i, c G p*} + {7T i# / | / > # j} + {reset,-(/) 1 1 G Q,-}, 

\t ■ elide,] = -{undoj(f), resetj(f) 1 1 G O,} + {ack,(/) | f G H,-}, 

[finalise'] = -{ack,-(0 |» G Q,-} + £ F'(i,r) • {r}. 
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Before we define the class NF C % T of signed multisets of transitions in normal form, and verify condi- 
tions [4] and \5\ we derive some properties of the conflict replicating implementation N = ^{N'). 

Claim 1 For any M' G Z 5 ' and G G/ 7L T such that M:=M' + (M - M' ) + [G] G N s we have 

G(t • elide,) + G(t- undo,) < £ G (execute^) (8) 

G(finalise') < G(f • elide,) + G(t • reset,) < £ G(fetchedJ) (9) 

j>*i 

G(t- reset,) < G(/-undo ( ) (10) 
for each / G T' and ? G O,-. Moreover, for each f G and / G 

£ G(f • resets) < G(t ■ undone) < G(t • undo(/)) < £ G(t ■ undo«,) < G(t • fire) (1 1) 

{»|fea ffl } {co\teQ.a>} 

and for each appropriate c,h,i,j,l G 7 1 ' and p G 5': 

G(fetchedJ-) < G(fetch^ c ) < G(execute}) (12) 

G(initialisey fire) < 1 + ^G(initialise 7 - • resets) (13) 

G(transferj • fire) — G(transfer ; - • undone) < G(initialise ; • fire) — G(initialise y - • undo(trans ; -in)) (14) 

G(transfer/-fire) + £ G(execute^) < 1 +^G(transfer/- reset ffl ) + £ G(fetched^) (15) 
(<*/ (o ,-. •••/ 

if M [execute^) then 1 < G(initialise, • fire) — G(initialise,- • undo(pre^)) (16) 

if 3/. M[execute^) then 1 < G(transfery • fire) - G(transfer'? • undo(trans^-out)) (17) 

F'(/?,c)-(G(initialise c .- fire)-G(initialise c - undone)) + £ F'{p,i) ■ G(fetch^ f ) < G(distribute p ) (18) 

j>*ie P ' 

G(distribute p ) < M'(p)+ £ G(finalise ! ). (19) 

{ieT'\pei'} 

Proof: For any i G T and t G £2,-, we have 

M(undo,(?)) = ( £ G(execute})) - G(f • elide,) - G(t ■ undo,) > 0, 

j>*i 

given that M'(undo,-(f)) = (Mo — M )(undo,-(?)) = 0. In this way, the place undo,(?) gives rise to the 
inequation © about G. Likewise, the places ack,(f), reset,-(f) and p,(/), respectively, contribute (© 
and (flOl . whereas p(?), took(?), take(f) and fired(f) yield (TTTT t. The remaining inequations arise from 
fetchf^ c -out, fetchf^ c -in, Tij, trans^-in, 7ij#i, pre'j, trans'-out, p c and p, respectively. ■ 

(fT5T > can be rewritten as Tj + L,<#y£j ^ 1> where T t J := G(transfer^ • fire) — ^ ft) G(transfer^ • resets) and 
E) := G(execute^.) - G(fetched^). By CO} I ffl G(transfer/ • reset,) < G(transfer/ • fire), so T/ > 0, and 
likewise, by (02]), #} > for all i < # j. Hence, for all i < # j < # / G T', 

< T/ < 1 < E) < 1 r/ + £ Ej < 1. (20) 
In our next claim we study triples (M,M',G) with 
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(A) M G [M ) N , M' G [M' ) n , and G G/ Z 7 ', 

(B) M = M' + (M -M ) + [GJ, 

(C) O(finalise') = for all i G T', 

(D) G(distribute p ) < M'{p) for all p G 5', 

(E) G(fetchedf) > for all k <*/ G 7", 

(F) G(distribute p ) > • G(execute^) for all i < # j G T' and /? G 

(G) < G(execute^) < 1 for all i < # j G T', 

(H) G(distribute p ) > F'(p,j) • G(execute^) for all i < # j G 7" and p G *j. 

(I) (in the notation of (|20]>) if E) = 1 with i <* j G 7" then Tf = 1 for all h <* j, 

(J) there are no j > # i=k < # I G T' with ^ (£,£), G(execute^) > and G(executef) > 0, 

(K) there are no i < # j=k < # / G T' with ^ (k,£), G(execute^) > and G(executef) > 0. 

Given such a triple (M\,M[,Gi) and a transition t G 7\ we define 7iexf(Mi,Mj,Gi,f) =: (M,M',G) as 
follows: Let G 2 := Gi + {t}. Take M := Mi + [f] = M{ + (M -M ) + [G 2 ]. In case f is not of the 
form finalise' we take M := M[ G [M' Q ) N > and G := G 2 G/ Z r . In case t = finalise' for some i G T' we 
have 1 = G 2 (finalise') < £ 7 ># ; G 2 (execute^) = Y,j>n G \ (execute.) by (0, © and ([l2i so by © and 
© there is a unique ; >* i with Gi (executed) = 1. We take M := M\ + [j] and G := G 2 — Gj, where Gj 
is the right-hand side of ([7]). 

Claim 2 (1) If Mi [t) and (Mi ,MJ , Gi ) satisfies (©-©, then so does next(M\,M[ ,G\,t). 
(2) For any M e[M ) N there exist M and G such that I©-© hold. 

Proof: (0 follows from (OQ) via induction on the reachability of M. In case M = Mo we take M := M 
and G := 0. Clearly, (©-(© are satisfied. 

Hence we now show (Q}. Let (M,M',G) := rce#(Mi,M{,Gi,f). We check that (M,M',G) satisfies 
the requirements (TAl-dKl). 

(A) By construction, M G [M ) N and G Gj 7L T . If t is not of the form finalise' we have M' =M\ G [M' ) N t. 
Otherwise, by (0 and © we have M[(p) > Gi (distribute p ) > F'(p,i) for all p G */, and hence 
MJ [/). This in turn implies that M' = M[ + [j] G [Mq)^- 

(B) In case ? is not of the form finalise' we have 

M = M\ + \t\= M\ + (M - M ) + [Gi + tj = M 1 + (M () - M ) + [G] . 

In case t = finalise' we have M = Mj + (M -M ) + [G 2 ] = M' + (M -M ) + JGJ, using that 
H = [<?!■ 

(C) Incase f = finalise'' we have G(finalise') = Gi (finalise') + 1 - Gj(finalise') = 0+1-1=0. 
Otherwise G(finalise') = Gi (finalise') + = + = 0. 

(D) This follows immediately from (0 and ( fT9l ). 

(E) The only time that this invariant is in danger is when t = finalise'. Then G = Gi + {finalise'} — Gj 
for a certain j > # i with Gi (execute*-) = 1. By (Q][l Gi(executej) < for all I > # i with / ^ ;'. 

3 We use ((TJl and (fEJl for G\ only, making use of the induction hypothesis. 
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Hence by Q2) d (fetched}) < for all such /. By © (^(finalise'') = G { (finalise 1 ) + 1 = 1, so by 
© £/>#,- Gi (fetched}) = Zi>*i Gi (fetched }) > 0; hence it must be that G\ (fetched}) > 0. By (E) 3 
Gi (fetched?) > for all k <* I G T. Given that Gj(fetched}) = 1 and Gj (fetched?) = for all 
(k,l) ^ (ij), we obtain G(fetchedf) > for all k <*/ G T. 

(F) Take i < # j G T' and p&'i. There are two occasions where the invariant is in danger: when t = 
execute} and when t = finalise^ with k G T . First let t = execute}. Then Mi [execute}). Thus, 

G(distribute p ) 

> F'(p,i)-(G(initialise,-- fire) - (^initialiser undone)) + £ F'(j>,g) -G(fetch^) (by CD) 

h>*gep' 

> F'(^,/)-(G(initialise r fire) -G(initialise r undone)) + £ F'(p,g) ■ G(fetchedf) (by (fill)) 



h>*gep' 

> F'(p,i) • (G(initialise,- • fire) -G(initialise ; - undone)) +F'(p, i) • G(fetched}) (by ©) 

> F'(p,i)- NG(initialise i -fire)-G(initialise i -undo(pre}))) + G(fetched} )J (by CB) 

> F'(p,i)- (l + G(fetched})) (by (QUO 

> F'(p, i) • G(execute}) (by 420)). 



Now let t = finalise^ with k G T . By dTTJ G(initialise, - fire) — ^(initialise/ • undone) > 0. So by ( fT8i 
©, and (fT2l ) G(distribute p ) > 0. For this reason we may assume, w.l.o.g., that G(execute}) > 1. 

We have G = G\ + {finalise^} -G\ for certain I > # k with G\ (execute?) = 1. Since Gj (execute}) > 0, 
we also have G\ (execute}) > 1. By (UJ) this implies that -<(i=k) or (i,j) = (k,l). In the latter case 
we have G(execute}) = G\ (execute}) — Gj(executel-) = 1 — 1=0, contradicting our assumption. 
In the former case p ^ *k, so G?(distribute p ) = and hence G(distribute p ) = Gi (distribute,,) > 
F'(p, i) ■ G\ (execute}) = F'(p, i) ■ G(execute}). 

(G) That G(execute}) > follows from © and (O. If G(execute}) > 2 for some i < # j G T' then 
M'(p) > G(distributep) >2-F'(p,i) for all p G 'i, using ® and®, so M'[2 ■ {i}) N >- Since//' is a 
finitary|structural conflict net] it has no self-concurrency, so this is impossible. 

(H) Take i < # j G T' and p G 'j. The case i = j follows from ((0), so assume i < # j. By (fTTT > we have 
^(initialise, • fire) - G(initialise,- • undone) > 0. So by (flSb . ©, and (fill) G(distribute p ) > 0. Hence, 
using (©, we may assume, w.l.o.g., that G(execute}) = 1. We need to investigate the same two 
cases as in the proof of ([0 above. First let t = execute}. Then M\ [execute}). Thus, 

G(distribute p ) 

> F'(/7,j)-(G(initialise r fire)-G(initialise r undone)) + £ F'(j>,g) -G(fetch^) (by (El])) 



> F'(p,j)- (G(initialise ; - -fire)- G(initialise ; - • undone)) h>* g e P ' (by © and (TTU)) 

> F'(p,j) • (G(initialise 7 • fire) — G(initialise 7 - • undo(trans}-in))) (by (fTTI )) 

> F'(pJ) ■ (G(transfer} - fire) - G(transfer} • undone) (by (fTTI )) 

> F'(pJ)- (G(transfer}-fire)-G(transfer}-undo(trans}-out))) (by (fTTI)) 

> F'(pJ) (by©). 



Now let t = finalise^ with k G T . We have G = G\ + {finalise*} - G? for certain / > # k with 
Gi (execute?) = 1. Since Gj(execute}) >0, we also have G\ (execute}) > 1. By (© this implies 
that ^(j = k) or = (k,l). In the latter case G(execute}) = G\ (execute}) — Gj(execute}) = 
1 — 1=0, contradicting our assumption. In the former case p ^ 'k, so G^ (distribute,,) = and 
hence G(distribute^) = Gi(distribute p ) > F'(p,j) ■ G\ (execute}) = F'(p,j) ■ G(execute}). 
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(I) Let i<*jET' and/z <* j. Since, for all k < # l G T', G* (transfer^- fire) = I ffl G* (transfer^- reset ffl ) =0 
and G*(executey) = G*(fetchedy), the invariant is preserved when t has the form finalised Using 
(|20l ), it is in danger only when t = execute^- or t = transfery • reset ffl for some (0 with transfer'? G Q. m . 

First assume M\ [executey) and Tj 1 = G\ (transfer'- ■ fire) — Y,a> Gi (transfer'- • reset ffl ) = 0. Then 

1 < Gi (transfer' 1 -fire) - Gi (transfer^? • undo(trans^-out)) (by (fTTT)) 
< Gi (transfer^- fire) -^G^transfery -resets) =0 (by (HB), 

which is a contradiction. 

Next assume t = transfer^- resets with k = j, and Ej = 1. By (|EJ) and (|G]> the latter implies that 
Gi (executed) = 1 and G\ (fetched^) = 0. Then 

= Gi (finalise*) (by©) 

< Gi (transfer'- - elide*) + G\ (transfer') • reset*) (by ©) 

< G(transfery • elide*) + G(transferj • reset*) 

< I/>#*G(fetchedf) (by©). 

Hence Gi (fetched*) = G(fetchedf) > for some / > # k, and by fl2]) also G\ (execute*) > 0. Using 
(1Kb we obtain (i,j) =(k, I), thereby obtaining a contradiction (0 = Gi (fetched^) = G\ (fetched*) > 0). 

(J) Let j > # i = k < # I G T with ^ (k,l). The invariant is in danger only when t = execute^- or 
t = execute*. W.l.o.g. let t = execute*, with Gi (execute*) = and G\ (execute^-) > 1. 

Making a case distinction, first assume G(fetchedy) > 1. Using (jDj), ((0) and that G(execute*) = 1, 
M'{p) > G(distribute / ,) > F'(p,k) for all p G 'k. Likewise, M'(p) > G(distribute p ) > F'(p,i) for 
all p G 'i. Moreover, just as in |the proof of ([0), we derive, for all p G 'i H 'k, 

M'(p) > G(distribute /5 ) (by ©) 

> F'(p,k)- (G(initialise r fire)- G(initialise ft - undone)) + £ F'(p,g) -G(fetch^) (by (QUO 

h>*gep' 

> F'(p,k)- (G(initialise*- fire)- G(initialise* • undone)) + £ F'(p,g) G (fetched {) (by CE)) 

h>*gep' 

> F'(p,k)- (G(initialise*- fire) - G(initialise* • undone)) +F'(p,i) • G(fetchedy) (by©) 

> F'(p,k) ■ (G(initialise* • fire) - G(initialise* • undo(pref))) +F'(p, i) ■ G(fetchedy) (by CO])) 

> F>(p,k)+F'(p,i) (by CD). 

It follows that M'[{k}+{f\). As i = k and N' is a finitary [structural conflict netl this is impossible. 
(Note that this argument holds regardless whether i = k.) 

Now assume G(fetchedy) < 0. Then, in the notation of (|20]>, £j = 1. Since G\ (execute*) = 0, © 
and CG) yield Gi (fetched*) = 0. Hence G(execute*) = 1 and G(fetchedf) = 0, so Ef = 1. We will 
conclude the proof by deriving a contradiction from E l - = Ef = 1. In case j = I this contradiction 
emerges immediately from (l20l ). By symmetry it hence suffices to consider the case j < I. 
By © and 4H]> we have M'(p) > G(distribute p ) > F'(p,j) for all p G 'j, so M'[j). Likewise M'[l) 
and, using ((0), M'[i) and M'[k). Since j = i = k and N' has no fully reachable pure M j = k. Since 

# . # 1 i »t/ i \ r 11 i 1~ i m • # 



j = k = I and N' has no |fully reachable pure M[ ; = /. So j < # /. By (|20]>, using that £j = 1 , T/ = 0. 
This is in contradiction with ~E~f = 1 and dU). 

(K) Suppose that G(executey) > and G(executef) > 0, with z <* j = k< # 1 G T'. By © and dHl> we 
have M' (jo) > G(distribute p ) >F'(pJ) for ah>G*j> soM'[y). Likewise, using dB,M'[/) mdM'[k). 
Since i = j = k and A^' has no fully reachable pure M i = k. Using this, the result follows from ©■ ■ 



34 



On Distributability of Petri Nets 



Claim 3 For any M G [M ) N there exist M' G [Mq) n > and G G/ I> T satisfying ©-© from ClaimEl and 
(L) there are no j > # i = k< # I G T' with M[execute}) and G(executef ) > 0, 
(M) there are no i <* j = k< # l G T' with M[execute}) and G(executef) > 0, 
(N) if M [execute}) for i <* j G T then M'[j). 

Proof: Given M, by Claim \%2) there are M' and G so that the triple (M,M',G) satisfies ©-(0. As- 
sume M[execute}) for some i <* j G T'. Let Mi := M + [execute}]] and Gy := G + {execute}}. By (© 
G(execute}) > 0, so Gi (execute}) > 0. By ClaimHtl) the triple (Mi,M',Gi) satisfies 

(L) Suppose G(executeJ r ) > for certain / > # k = i. In case = (k,£) we have Gi(execute}) > 2, 
contradicting (|G]>. In case ^ {k,£), G\ fails (UJ), also a contradiction. 

(M) Suppose G(executef ) > for certain / > # k = j. Then G\ fails (|G]> or (©, a contradiction. 

(N) By © and © M'(p) > Gi (distribute,,) >F(p, j) for aUp G 'j. so Af'L/). ■ 

Claim 4 If M[{execute}}+{executef }) for some M G [M )iv then (/=£). 

Proo/- SupposeM[{execute}}+{executef}) forsomeMG [Mo)at. By Claim[32) there exist M' G [Afjj)^ 
and G G/ Z r satisfying Let Mi :=M + [executef] and Gi := G + {execute^ }. By Claim 13 1) 

the triple (Mi,M',Gi) satisfies <E1>— dK]>- LetM 2 :=Mi + [executed] and G 2 := Gi + {execute}}. Again 
by ClaimHtl), also the triple (M 2 ,M',G 2 ) satisfies (©-(!]>. By (jGj) G(execute}) > 0, so in case = 
(k,l) we obtain G 2 (execute}) >2, contradicting ((Gj). Hence ^ (k,l). Moreover, G 2 (execute^) > 
and G2(execute}) > 0. Now © implies -i(i=k). ■ 

For any t G {initialise^, transfer^} with h, j G T f , and any ft) G £2 with t G Q. m , we write 
t(co) := t -fire + 7 ■ undo ffl + ( V t ■ undo(/)) +t ■ undone + ? • reset ffl . 

f & far 

The transition t has no preplaces of type in, nor postplaces of type out. By checking in Table[T]or Figure[3] 
that each other place occurs as often in 'u(co) + (u • elide ffl )* as in u(co)' + '(u ■ elideo), one verifies, for 
any (oefi with t G Q. m , that 

[f(ffl)] = [f -elide*]. (21) 
Let = be the congruence relation on finite signed multisets of transitions generated by 

t(co) = t -elideo (22) 

for all t G {initialise^, transfer'? | h,j& T'} and fflGfi with D. a B t. Here congruence means that Gi = G 2 
implies k ■ Gy = k ■ G 2 and Gi + H = G 2 + H for all k G % and H G/ 7L T . Using (HB Gi = G 2 implies 
[Gi] = [G 2 ]. 

Claim 5 If M' = [G] for M' G Z 5 ' and G G/ Z r such that for all i G 7" we have G(finalise') = and 
either Vj > # i. G(execute}) > or Vj > # i. G(execute}) < 0, then G = 0. 

Proof: LetM' and G be as above. W.l.o.g. we assume G(t ■ elide ra ) = for all t G {initialise,, transfer'-} 
and all ft) G O. with t G Q. m , for any G can be brought into that form by applying ((22l . For each s G 5\5' we 
have M'(j) = 0, and using this the inequations (l8l)-([T2l and (PT8T ) of ClaimfTJturn into equations. For each 
i G T' we have G(£ ; >#,- execute}) = 0, using (the equational form of) (l8l)-(fT0l. and that G(finalise') = 0. 
Since G(execute}) > (or < 0) for all j > # i, this implies that G(execute}) = for each i < # j G T. With 
(fT2l we obtain G(fetched}) = G(fetch|£) = for each applicable p,c,i,j. Using that G(t ■ elide ffl ) = 
for each applicable t and ft), with ©-([ll]) and £[8]> we find G(t) = for all t G T. ■ 
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Claim 6 Let M:=M' + (M -M' Q ) + [//] G [M ) w for M' G [Mq)jv and // G/ l7 with //(execute^-) = 
for all i <*./'€ 7". 

(a) If //(finalise') < and //(finalise*) < for certain i,k G T' then -.(/#&). 

(b) If M [execute^-) and //(finalise*) < for certain i,k G T 1 then -i(i = fc) and ->(j = k). 

(c) //(distribute^) > for all p e S' (with p* ^ 0). 

(d) Let c = i G 7". If //(distribute;,) > F'(p,c) for all p G *c, then //(finalise') = 0. 

(e) If M [executed) with i < # j G 7" then M'[j). 

Proof: By Claim[3]there exist M[ G [Mq) /v and Gi G/ Z r satisfying ©-© (with M, M[ and G x playing 
the roles of M, M' and G). In particular, M = M[ + (M -M' Q ) + [Gi], Gi (finalise') = for all i G 7", 
and Gi (execute^) > for all i < # j G T'. Using {j}, for each / G T there is at most one j >* / with 
Gi (execute^) > 0; we denote this j by /(/), and let f(i) := i when there is no such j. This makes 
/ : T' — y T a function, satisfying Gi (execute^) = for all j > # i with j 7^ /(/). 

Given that //(execute^) =0 for all i < # j G T', P-(fT0l (or © and (QUO imply //(finalise 1 ) < 
for all i G T . Let := M' + £ !eT , //(finalise') • p] and G 2 := // - £ ier //(finalise') • Gr* (j) , where Gj 
is the right-hand side of ©. Then M = M' + (Af - Mq) + [77] = M' 2 + (M - Mq) + [G2], using that 
[j] = [GLJ. Moreover, G 2 (finalise') = for all / G 7", using that G| ( . } (finalise') = 1. 

It follows that M[-M' 2 = [G 2 - GiJ. Moreover, we have (G 2 - Gi) (finalise') = for all i G T' . 
We proceed to show that G 2 — Gi satisfies the remaining precondition of Claim [5] So let j G T' . In 
case //(finalise') = 0, for all j >* i we have G 2 (executey) = 0, and G\ (execute^) > by (|G]>. Hence 
(G 2 — Gi)(executep < 0. In case //(finalise') < 0, we have G 2 (execute^) > 1, and hence, using (iGl . 
(G 2 — G\) (execute^ *) > 0. Furthermore, for all j ^ f(i), G 2 (executey) > and G\ (execute^) = 0, so 
again (G 2 - G\) (execute^) > 0. 

Thus we may apply Claim|5l which yields G 2 = G\. It follows that M' 2 = M[ G [M ) W '. 

(a) Suppose that //(finalise') < and //(finalise*) < for certain i # k G 7 1 '. Then G 2 (execute^ - ) > 
and G 2 (execute*^ ) > 0, so G\ (execute^. J > and Gi (execute*^) > 0, contradicting ©. 

(b) Suppose that Mfexecute^) and //(finalise*) < for certain k = i or & = ./'. Then Gi (execute* ^) = 
G 2 (execute* > 0, contradicting (|D or ((Mi 

(c) By (|aj>, for any given p €S' there is at most one i G p* with //(finalise') < 0. For all i G T with / ^ p* 
we have G'^.n (distribute;,) = 0. First suppose k G p* satisfies //(finalise*) < 0. Then 



Gi (execute* (jt) ) 



= G 2 (execute* 

= //(execute*^) — L; e r' //(finalise') • GL* (execute*^) 
= 0- //(finalise*), 



so by © Gi (distribute^ > 
//(distributep) 



—F'(p,k) -//(finalise*). Hence 



= G 2 (distribute p ) +Y*ieT' //(finalise') • Gj.^ (distribute;,) 
= Gi (distributep) +H (finalise*) • G k f{k) (distribute,,) 
> -F'(p,k) -//(finalise*) + //(finalise*) -F^p,*) =0. 



In case there is no i G p* with //(finalise') < we have 

//(distributep) = G 2 (distribute,,) + £ //(finalise') • Gj.« (distribute^,) = Gi (distributep) >0 

iff 

by © and ©. 
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(d) Since //(finalise') <0 and GL« (distribute^) >0 for all i G T', also using (jc]), all summands in 
//(distribute,,) + YaeT' —//(finalise') • G^ (distribute,,) are positive. Now suppose //(finalise') < 
for certain i G T'. Then, using ((Dj), for all p G 'i, 

M[(p) > Gi(distribute p ) = G 2 (distribute,,) > GL) (distribute,,) =F'(p,i). 

Furthermore, let c = i and suppose //(distribute,,) > F'(p,c) for all p G *c. Then, using (iDl ). 

M[(p) > Gi(distribute p ) = G 2 (distribute p ) > //(distribute,,) >F'(p,c) 

for all p G *c. Moreover, if G *c R "i then 

M[(p) > G 2 (distribute,,) > //(distribute,,) + G} (;) (distribute,,) >F'(p,c)+F'(j>,i). 

Hence M' 2 [{c}+{i}). However, since c = i and N' is a lstructural conflict netl this is impossible. 

(e) Suppose M[execute^} with i <* j G T' . ThenM( [j) by ©. Now M' = Mj +ZkeT> -//(finalise*) • \kj, 
with - 
M'\j). 



with -//(finalise*) > for all k G T'. Whenever -//(finalise*) > then ^{j = k) by ©. Hence 



We now define the class NF C Z r of signed multisets of transitions in normal form by H G A^F iff 
£(//) = and, for all t G {initialise^-, transfer^ \h,j£ T'}: 

(NF-1) • elide ffl ) < for each ft) G £2, 

(NF-2) • undo ffl ) > for each ft) G £2, or //(? • fire) > 0, 

(NF-3) and if H(t ■ elideo,) < for any ft) G £2, then //(f ■ undo ffl ) < and H(t • fire) < 0. 

We proceed verifying the remaining conditions of Theorem [3] 

IU By applying d22l ). each signed multiset G G /■ Z r with £(G) = can be converted into a signed 
multiset H £ f NF with £(H) = 0, such that \H\ = [GJ. Namely, for any f G {initialise^, transfer^ | 
/i, 7 G r'}, first of all perform the following three transformations, until none is applicable: 

(i) correct a positive count of a transition t ■ elide ffl in G by adding t(co) — t ■ elide ffl to G; 

(ii) if both H(t ■ undo ffl ) < for some ft) and H(t • fire) < 0, correct this in the same way; 

(iii) and if, for some ft), f-elideo has a negative and f-undo ffl a positive count, add t ■ elideo, — t(co). 

Note that transformation (iii) will never be applied to the same ft) as (i) or (ii), so termination is 
ensured. Properties (NF-Q} and (NF-|2]) then hold for t. After termination of (i)-(iii), perform 

(iv) if, for some ft), H(t ■ elide^) < and H(t • fire) > 0, add t ■ elideo, — t(co). 

This will ensure that also (NF-O is satisfied, while preserving (NF-TJ) and (NF-TJJ). 

Define the function / : T — > N by f(u) := 1 for all u G T not of the form u — t ■ elides, and 
f(t ■ elide ffl ) := /(/(<»)) (applying the last item of Definition Q). Then surely f(G) = f{H). 

|U Let AT' G N 5 ', V G N 7 " and U G N 7 " with £(U) = £'(U') and M' +'U' G [M' Q ) N i. Since N' is a 
fmitarv Istructural conflict net] it admits no self-concurrency, so, as *U' < M' +'U' G [M' Q ) N i, the 



multiset U' must be a set. As Af' is plain this implies that the multiset £'(U') is a set. Since 
£(U) = £'(U'), also £{U), and hence [/, must be a set. All its elements have the form execute^ for 
i < # j G T', since these are the only transitions in T with visible labels. Note that U' is completely 
determined by U, namely by U' = {i \ 3j. execute^- £U}. We take 
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H M ',u'-= £(M / + , £/ / )(/?)-{distribute p }+ £ {initialise,- • fire} + £ {transfer' 1 • fire} 

pes 1 (M'+'u')\j}\ h<*j.$execute g h eu 



Since N' is |fmitary| H M >y G/ N . Moreover, £{H M >y) = ®- 

Let H £ f NF with M :=M'+ *U' + (M -M£) + [//J -*(/eN s and M+ *t/ G [M ) w . Since HeNF, 
and thus ^(//) = 0, //(execute^) = 0. From here on we apply Claim Q] and Claim[6] with M + 'U 
and M' + *£/' playing the roles of M and M'. Note that the preconditions of these claims are met. 

That //(execute^-) = for all i <* j G T', together with ® and the requirements (NF-TJJ and (NF-|H» 
for normal forms, yields H(t • elide,) < as well as H(t ■ undo,) < 0. Using this, (l9l)-(fT2l) imply 
that 

//(«)< for each u G T . (23) 

Claim 7 Let c G T and p G 'c. Then 

• if //(initialiser • fire) > then H(fetchff) = for all i G p' and j > # i, and 

• if //(transfer^ • fire) > for some b < # c then //(fetch?'?) = for all i G p' and j > # i. 

Proof: Suppose that H(t- fire) >0,for? = initialise c or f = transfer^!. Then (fT3l) resp. (1201 together 
with d23l implies that H(t ■ reset ffl ) = for each ft) with t G £2 ffl . In order words, H(t ■ reset,) = for 
each i = c, so in particular for each i G p*. Furthermore, H(t • elide,) > 0, by requirement (NF-|3]> 
of normal forms. With ©, this yields £ ,•>#,// (fetched*-) > 0, and (j23) implies //(fetched^) = 
for each j > # i. Now (11211231) gives //(fetch^ c ) = for each j >* i G p'. ■ 



We proceed to verify the requirements (T5ab-( 5g ) of Theorem [3] 

a| To show that M M i y G N s , it suffices to apply it to the preplaces of transitions in Hm>,u + U : 
M M >u{p) =0 for all p£ S' ; 

m', („) _ {(M'+'U')(p)-F'(pJ) \£{M'+'U')[j) , 

Mm'ukPj) - \(M'+ m U')(p) otherwise for p£S,jep, 

„ , / \ / if (M r +*U')[j) _ . 

Mm '^ = { 1 otherwise f ° f ]E T ; 

f 1 if {M 1 +*U') [j) A execute^ U 

M M iy(pre{) = \~ l if -i(M' +*?7 / )[j) A execute^ G U for ; < # keT'; 

\ otherwise 

, v if Bexecutef G U V (M' +*U')[j) . . # . 

Mm 1 ,u{^h#j) = { j Qtherwise * former' 

M M ^(transH = { o otherwise for h< j £ T ; 

{1 if (M ' +'£/') [j) A ^executef G U A ^execute^. G £/ 

- 1 if \->(M' +'U') [j) V Bexecutef G U) A ^execute} G C/ 

otherwise for h < # j ef. 

For all these places * we indeed have that M M < y (s) > 0, for the circumstances yielding the two 
exceptions above cannot occur: 
• Suppose execute^ G U with j <*k G T'. Then ; G U', so "j C M' +'V and (M ; + V) [j). 
Consequently, M M >,u {pre{) ^ -1 for all ; <*k G T . 
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Suppose execute^- G U with i < # j G T'. Then 'execute^- < 'U, so (M +'U) [execute^). 
ClaimileD with M+'U and M' +'!/' in the roles of M and M' yields (M' + 'U') [j). 
If moreover execute^ G £/ with g < # /z <*j, then {g}+{i} C £/', so *{g}+*{/} C M'+'U' 
and (M' + *[/') [{#}+{/})• In particular, g /, and since iV' is a Istructural conflict netl 
'g n 'i = 0. By Claim [6]©— as above— (M'+'U') [h), so "g U "ft U *j U 'i C M'+'t/' G 
[M' Q ) N > . Moreover, since g< # h< # j > # i, we have *g n */i 7^ 0, */z n * i 7^ and * j n *j 7^ 0. 
Now in case also 'h n * £ 7^ 0, the transitions g, /z and i constitute a fully reachable pure M[ 



otherwise h w / and /z, 7 and i constitute a fully reachable pure M Either way, we obtain 



a contradiction. Consequently, M M > £/(trans*-out) 7^ —1 for all h <* j G 7 1 '. 
Suppose M' — >•; say M'[i) with ■£'(/) = a. Let j be the largest transition in T w.r.t. the well- 
ordering < on T such that i < # j and (M' +*U')[j). It suffices to show that Mm'.u [execute'-), 
i.e. that M M / [/ (pre^)=l, Mj W / )t/ (trans^-out)=l for all h < # j, and M M ^ u (7tj#i)=l for all / >*j. 
If execute' ; - g U we w ould have / G {/' and hence (M' + *U')[2 ■ {/}). Since iV' is a fmitary 



Istructural conflict net[ this is impossible. Therefore execute^ G" U and, using the calculations 
from (a) above, M M i u(pre'j) = 1. 

Let/i< # j. To establish thatM;v/',j/(tranSy-out) = 1 we need to show that there is no k < # j with 
execute^ G U and no g < # /z with execute^ G t/. First suppose execute^ G t/ for some k < # 7. 
Then k £ U' and hence (M' +*£/')[{/}+{&}}. This implies z ^ and, as N' is a structural 
conflict net, *i n *& = 0. Hence the transitions /, j and & are all different, with 'i n * j 7^ and 
*y n 7^ but */ n *k = 0. Moreover, the reachable marking M' +*[/' enables all three of them. 



Hence N' contains a fully reachable pure M which contradicts the assumptions of Theorem [5] 
Next suppose executef G U for some g < # h. Then (M+*t/) [executef), so (M' +'U')[h) by 
Claim0tsl). Moreover, g G U', so (M' +'U')[{i}+{g}). This implies g — i, and *gn*i = 0. 
Moreover, *gn*h^ 0, */z n *j 7^ and *j n *i 7^ 0, while the reachable marking M' +'U' 
enables all these transitions. Depending on whether 'h n *i = 0, either h, j and i, or g, h and i 
constitute a 



fully reachable pure M[ contradicting the assumptions of Theorem [5J 



Let / >* j. To establish that Mm 1 ,u(^j#l) = 1 we need to show that there is no k < # j with 
execute* G U — already done above — and that ->(M' +'U')[l). Suppose (M' +'U')[l). Con- 
sidering that j was the largest transition with i <* j and (M' +*U')[j), we cannot have i < # /. 
Hence the transitions i, j and / are all different, with *i n * j 7^ and * j n "/ 7^ but "i n */ = 0. 
Moreover, the reachable marking M'+'U' enables all three of them. Hence N' contains a 
fully reachable pure M| which contradicts the assumptions of Theorem [5] 



(l5cl > We have to show that H(t) < H M >jj(t) for each t G T. 

• In case ( £ this follows from (|23T > and fl^f' i/ S IN 7 



In case ? = execute^- it follows since £(H ) = 0. 

In case ? = distribute p it follows from (fT9l ) and (|23T ). 

Next let t = initial! se c • fire for some c G T' . In case 7^ (initialise^ • fire) < surely we have 
//(initialise c • fire) < H M > u (initial ise c . • fire). So without limitation of generality we may 
assume that //(initialise c • fire) > 0. By (I13II23I ) we have //(initialise^ fire) = 1. Using 
(fl8i ClaimEJ (f23j and (QUl we obtain, for all p G *c, 

F'(p,c) -^(initialisec -fire) < //(distribute p ) < (M ; +*t/')(p). 

Hence c is enabled under M' +'U' , which implies H M > u (initial ise c • fire) = 1. 

Let t = transfer^ - fire for some b < # c G T'. As above, we may assume //(transfer*- fire) >0. 

By (12011231) we have //(transfer* • fire) = 1. Using d23j and that //(execute?) = for all 
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g < # b, it follows that (M+*U)(K b#c ) = 0. Hence -.(Af+'t/) [execute^ for all g < # b, and 
thus ^execute| G U. For all p G *c we derive 

F'(p,c) -//(transfer^ -fire) 

< F'(p,c)- (//(transfer^ -fire) -//(transfer^ -undone)) ((23]) 

< F'(p,c) - (//(initialise,. -fire)- //(initialise,. -undo(tranSc-in))) (fl4|) 

< F'(p,c) • (//(initialise c • fire) — //(initialise,. • undone)) (jTTJ) 
= [the same as above] + £ F'(p, i) ■ Htfetchff) (ClaimE) 

< //(distribute^) i>*^p' (H]) 

< (M' +*U')(p) + £ //(finalise') 

< (M'+'f/OO?) {'er'|pei-} (j^J. 

Hence (M' +*t/')[c), and thus // M / ;f/ (transfer^) = 1. 

If u £ T , yet H(u) ^ 0, then u is either distribute^, initialise^- - fire or transfer^ - fire for suitable 
p G S' or /j, j G r'. For w = distribute,, the requirement follows from Claim[6]jcj); otherwise 
Property (NF-(2]), together with (JTTJ, guarantees that H(u) > 0. 

If H(t) > and H(u) < 0, then t G T + and w G T . The only candidates for 't n *m ^ are 

• p c £ '(initialise,, - fire) n*(fetchfp for G 5", c,z G p' and j > # /, 

• trans^-in G (transfer^ • fire) n '(initialise,. • undo(trans^-in)) for b < # c G T'. 
We investigate these possibilities one by one. 

• //(initialise,. • fire) > A //(fetch?'' ) < cannot occur by Claim |7J 

• Suppose //(transfer^ -fire) > 0. By (T20JI23J we have //(transfer^ fire) = 1. Through the 
derivation above, in the proof of requirement (c), using (I23H 14LfTTT> . Claim|7]and (PT8T ). we 
obtain //(distribute^) > F'(p,c) for all p G 'c. Now ClaimlMd]) yields //(finalise') = 
for all i = c. By © and (l23l) we obtain //(initialise, - reset;) =0 for each such i. Hence 
£.# //(initialise^- reset,) =0, and thus //(initialise,. • undo(trans^-in)) = Oby (I11II23I) . 

© If H(u) < Oand (M+'U)[t) with^(f) / T, then t = execute^- for some i < # j G T' and wG/-. 
The only candidates for *t n *w ^ are 

• pre^ G '(execute^) Pi * (initialise^ • undo(pre^)) and 

• transy-out G "(execute^) n '(transfer'- • undo(transy-out)) for h <* j. 
We investigate these possibilities one by one. 

• Suppose (M+'U) [executed). By Claimi®, //(finalise*) > for each k=i. By © and 
d23l we obtain //(initialise,- resets) =0for each such k. Hence ^//(initialise,- resets) = 0, 
and thus //(initialise,- • undo(pre^)) = by (|HH231l . k li 

• Suppose (M+'U) [execute*,) and h <* j. By Claim[6l|b]>, //(finalise*) > for each k = j. 
By © and d23j //(transfer*-- resets) = for each such k. So £ //(transfer^- resets) = 0, 
and //(transfer' 1 • undo(trans^-out)) = by (|lll l23t. k =j 

g) Suppose (M +*I/)[{f}+{ii});v, and i,jfc G T with f (/) = l(t) and ^(jfc) = £( B ). Since the net N' 
plain( t and w must have the form execute^- and execute* for some j >* i and / > # Claim|4] 



is 



yields ->(/ = £) and hence *i n *fc = 0. □ 

Thus, we have established that the conflict replicating implementation <#(N') of a finitary plain structural 
conflict net N' without a fully reachable pure M is branching ST-bisimilar with explicit divergence to N' . 
It remains to be shown that J?(N') is essentially distributed. 



40 



On Distributability of Petri Nets 



Lemma 10 Let N be the conflict replicating implementation of a finitary net N' = (S' ,T' ,F' ,M' ,£'); 
let j,l G T', with / > # j. Then no two transitions from the set {execute^- | i < # j} U {transfer^ • fire} U 
{transfer^ • undo(trans^-out)} U {execute^ | k < # l} can fire concurrently. 

Proof: For each i< j pick an arbitrary preplace qi of i. The set {fetchfy'-in, fetchfj'-out | i < # j}U 
{7tj#i, trans^-out, took(trans/-out, transfer^), p(transfer^} is an S-invariant: there is always exactly 
one token in this set. This is the case because each transition from N has as many preplaces as postplaces 
in this set. The transitions from {execute^- | i < # j} U {transfer^ • fire} U {transfer^ • undo(trans^-out)} U 
{execute^ | k < # l} each have a preplace in this set. Hence no two of them can fire concurrently. □ 

Lemma 11 Let N be the conflict replicating implementation J^(Af') of a finitary plain structural con- 
flict net N' = (S', T' ,F' ,M' ,£') without a fully reachable pure M. Then for any i < # j = c G T and 



/ G (initialise c y ar the transitions execute^- and initialise,- • undo(/) cannot fire concurrently. 



Proof: Suppose these transitions can fire concurrently, say from the marking M G [Mq)n- By Claim [3] 
there are M' G [M' ) N < and G G/ 7L T such that ©-© hold. Let t := initialise,., G\ :=G+{t- undo(/)} 
and Mi :=M+ [f-undo(/)]. Then CEB, applied to the triples (M,M',G) and (M h M',Gi), yields 

Y,G(t • resets) < G(t • undo(/)) < G x (t ■ undo(/)) < £ Gi(* • undo^) = £G(? • undo ffl ). 

{»|?ea ffl } {a\teD. a } {(o\teQ. a } 

Hence, there is an oo with t G 0. a and G(t ■ reset ffl ) < G(t ■ undo ffl ). This oo must have the form k G T 
with k = c. We now obtain 

= G(finalise fc ) (by©) 

< G(t-e\\de k ) + G(t-reset k ) (by©) 

< G(t ■ e\'\de k ) + G(t ■ undo k ) 

< Lz>#*G(executef) (by®). 

Hence, there is an I > # k = c with G(executef) > 0. By (|M]) we obtain -i(y =£), so 'jCi'k = 0. Addition- 
ally, we have 'j D *c / and By|N|we obtain M' [j) , and by (fDj) and © M' [k) . Furthermore, 
by (HB, G{t ■ undo(/)) <G x {t- undo(/)) < d(f ■ fire) = G(t • fire), so, for all p G "c, 

F'(p,c) < F'(p,c)-(G(t-rue)-G(t-undo(f))) 

< F'(p,c) -(Git- fire) -G{t- undone)) (by CB) 

< G(distribute p )-i: ; .> #I . e/ ,.F / ^,/)-G(fetch^) (by 

< G(distribute p ) (by © and Gil)) 

< M'{p) (by ©■ 



It follows that M'[c). Thus A 7 contains a fully reachable pure M which contradicts the assumptions of 



Lemma [IB □ 

Theorem 6 Let N be the conflict replicating implementation J?{N') of a finitary plain structural conflict 
net N' without a fully reachable pure M . Then N is essentially distributed. 

Proof: We take the canonical distribution D of N, in which =o is the equivalence relation on places and 
transitions generated by Condition (1) of Definition [15] We need to show that this distribution satisfies 
Condition (2') of Definition [16] A given transition t with £(t) ^ X must have the form execute^- for some 
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i <* j € T . By following the flow relation of N one finds the places and transitions that, under the 
canonical distribution, are co-located with execute^-: 

7ij#i — > transfer, • fire <— trans/-in — > initialise/ • undo(transpin) «— take(trans^-in, initialise/) 

I 

execute' j 

t 

trans^-out — > transfer' 7 • undo(transy-out) take(transy-out, transfer^) 



execute^ 

t 



pre^ — > initialise^ • undo(prep take(pre?, initialise 



■g) 



for all I >* j, h <* j and g <* 7. We need to show that none of these transitions can happen concurrently 
with execute^. For transitions transfer^ - fire and execute^ this follows directly from Lemma [TOl For 
transfer'^ • undo(transy-out) this also follows from Lemma [TOl in which j, k and / play the role of the 
current h, i and j. For the transitions initialise/ • undo(trans^-in) and initialise^ • undo(prey) this has been 
established in Lemma [TT1 □ 

Our main result follows by combining Theorems [5] and [6] and Proposition [3j 

Theorem 7 Let N be a finitary plain structural conflict net without a fully reachable pure M. Then N is 
distributable up to ^STb- 

Corollary 3 Let Af be a finitary plain structural conflict net. Then ,/V is distributable iff it has no fully 
reachable pure M. 



8 Conclusion 

In this paper, we have given a precise characterisation of distributable Petri nets in terms of a semi- 
structural property. Moreover, we have shown that our notion of distributability corresponds to an intu- 
itive notion of a distributed system by establishing that any distributable net may be implemented as a 
network of asynchronously communicating components. 

In order to formalise what qualifies as a valid implementation, we needed a suitable equivalence 
relation. We have chosen step readiness equivalence for showing the impossibility part of our char- 
acterisation, since it is one of the simplest and least discriminating semantic equivalences imaginable 
that abstracts from internal actions but preserves branching time, concurrency and divergence to some 
small degree. For the positive part, stating that all other nets are implementable, we have introduced 
a combination of several well known rather discriminating equivalences, namely a divergence sensitive 
version of branching bisimulation adapted to ST-semantics. Hence our characterisation is rather robust 
against the chosen equivalence; it holds in fact for all equivalences between these two notions. However, 
ST-equivalence (and our version of it) preserves the causal structure between action occurrences only as 
far as it can be expressed in terms of the possibility of durational actions to overlap in time. Hence a 
natural question is whether we could have chosen an even stronger causality sensitive equivalence for our 
implementability result, respecting e.g. pomset equivalence or history preserving bisimulation. Our con- 
flict replicating implementation does not fully preserve the causal behaviour of nets; we are convinced 
that we have chosen the strongest possible equivalence for which our implementation works. It is an 
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open problem to rind a class of nets that can be implemented distributedly while preserving divergence, 
branching time and causality in full. Another line of research is to investigate which Petri nets can be 
implemented as distributed nets when relaxing the requirement of preserving the branching structure. 
If we allow linear time correct implementations (using a step trace equivalence), we conjecture that all 
Petri nets become distributable. However, also in this case it is problematic, in fact even impossible in 
our setting, to preserve the causal structure, as has been shown in lfl6l . A similar impossibility result has 
been obtained in the world of the 7r-calculus in lPT4l . 

The interplay between choice and synchronous communication has already been investigated in quite 
a number of approaches in different frameworks. We refer to (6l for a rather comprehensive overview 
and concentrate here on recent and closely related work. 

The idea of modelling asynchronously communicating sequential components by sequential Petri 
nets interacting though buffer places has already been considered in Ifl5ll . There Wolfgang Reisig intro- 
duces a class of systems, represented as Petri nets, where the relative speeds of different components are 
guaranteed to be irrelevant. His class is a strict subset of our LSGA nets, requiring additionally, amongst 
others, that all choices in sequential components are free, i.e. do not depend upon the existence of buffer 
tokens, and that places are output buffers of only one component. Another quite similar approach was 
taken in Q, where transition labels are classified as being either input or output. There, asynchrony is 
introduced by adding new buffer places during net composition. This framework does not allow multiple 
senders for a single receiver. 

Other notions of distributed and distributable Petri nets are proposed in ifTTl PT1 l2l. In these works, 
given a distribution of the transitions of a net, the net is distributable iff it can be implemented by a 
net that is distributed w.r.t. that distribution. The requirement that concurrent transitions may not be 
co-located is absent; given the fixed distribution, there is no need for such a requirement. These papers 
differ from each other, and from ours, in what counts as a valid implementation. A comparison of our 
criterion with that of Hopkins [11] is provided in |6j. 

In O we have obtained a characterisation similar to Corollary [3l but for a much more restricted 
notion of distributed implementation {plain distributability), disallowing nontrivial transition labellings 
in distributed implementations. We also proved that fully reachable pure Ms are not implementable in a 
distributed way, even when using transition labels (Theorem[2]). However, we were not able to show that 
this upper bound on the class of distributable systems was tight. Our current work implies the validity of 
Conjecture 1 of [6]. While in [6] we considered only one-safe place/transition systems, the present paper 
employs a more general class of place/transition systems, namely structural conflict nets. This enables 
us to give a concrete characterisation of distributed nets as systems of sequential components interacting 
via non-safe buffer places. 
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